On October 6, 2024, Drug and Alcohol Treatment Services, Inc. (DATS), a non-profit provider based at 441 Wyoming Avenue in Scranton, Pennsylvania, identified unauthorized access to its computer network.
A forensic investigation later confirmed that a third party had gained access to sensitive systems between October 5 and October 6, 2024. The breach exposed the protected health information (PHI) of 22,215 individuals, including names, dates of birth, medical histories, treatment details, health insurance and medical claims information, billing records, Social Security numbers, and financial data.
Although DATS confirmed the breach on December 5, 2024, affected individuals were not notified until May 2, 2025, nearly seven months after the attack. The Interlock ransomware group claimed responsibility for the cyberattack and reported stealing 150 GB of data, which was later leaked online after DATS refused to pay the ransom. The leaked files allegedly include data from both patients and employees. DATS offered credit monitoring and identity theft protection services to those affected.
SLF, Inc. reported on the breach itself, stating, “On April 24, 2025, Drug and Alcohol Treatment Services, Inc. notified the public of a data breach that occurred due to a hacking incident targeting their network server. The breach has affected approximately 22,215 individuals, exposing sensitive information that could have serious implications for those involved. As investigations continue, the full extent of the data compromised remains to be fully assessed.”
Patients seeking help for substance use disorders often provide extremely sensitive personal and medical information, expecting it to be kept private. The lawsuits allege that DATS failed to implement reasonable security measures and then delayed notifying victims for months, preventing them from taking timely steps to protect themselves. These claims, ranging from negligence to breach of fiduciary duty, signal to all healthcare entities that data protection is not optional.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach occurs when unauthorized individuals gain access to sensitive, confidential, or protected information. In healthcare, this often includes PHI.
Ransomware is malicious software that locks or steals data from a computer system and demands payment for its return.
It depends on how the organization responds. If they quickly strengthen their security systems, increase transparency, and commit to data protection going forward, continuing care may be safe.