Class Action Claims Horizon House Data Breach Exposed Info of 27,000-Plus Employees, Patients

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges Philadelphia’s non-profit Horizon House maintained sensitive information in a reckless manner prior to a March 2021 data breach that affected more than 27,000 employees and patients. 

The 45-page lawsuit alleges Horizon House, a facility that provides behavioral health, rehabilitation, employment, homeless, assisted living, and residential treatment services, promised to safeguard and keep confidential the personal information under its care yet failed to take reasonable steps to protect itself from attack. The suit claims Horizon House stored sensitive data on a computer system and network that were vulnerable to cyberattacks, including the phishing attack perpetrated by those responsible for the breach.

According to the complaint, Social Security, driver’s license, state ID and employment passport numbers, as well as names, addresses and medical information, of 27,823 individuals were accessed and exfiltrated without authorization from March 2 to March 5, 2021. As a result of the incident, those affected by the breach, who were allegedly not informed by Horizon House until six months later, now face a considerable risk of identity theft and fraud, the suit relays: 

“Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes, including but not limited to fraudulently applying for unemployment benefits, opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical services, using Class Members’ health information to target other phishing and hacking intrusions based on their individual health needs, using Class Members’ information to obtain government benefits (including unemployment or COVID relief benefits), filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph and providing false information to police during an arrest.” 

On March 5, 2021, Horizon House discovered “suspicious activity” in its technology system and became aware that its system had been accessed without authorization, the case says. Despite discovering the cyberattack in early March, however, Horizon House did not begin notifying victims, much less states’ attorneys general and the U.S. Department of Health and Human Services, until September 17, which was more than six months after the defendant’s discovery of the breach, the lawsuit states.

The complaint asserts that the healthcare-specific data compromised in the cyberattack is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As the suit tells it, the Horizon House data breach was imminently foreseeable given the prevalence of similar phishing attacks and hacks within the medical industry.

The plaintiff, a former Horizon House counselor, claims to have received a substantial increase in suspicious scam calls, emails and texts since the data breach and has had to spend time monitoring his accounts for potential fraud. 

To date, Horizon House has “done little to nothing” to help those affected by the cyberattack, the lawsuit alleges. 

“Defendant has merely offered Plaintiff and Class Members credit monitoring services, but this does nothing to compensate them for damages incurred and time spent dealing with the Data Breach,” the suit reads. “Moreover, the fraud and identity theft monitoring service offered by Defendant are wholly inadequate as the services are offered for an inadequate length of time and the burden is placed squarely on Plaintiff and Class Members by requiring them to expend time signing up for that service, as opposed to automatically enrolling all victims of this cybercrime.” 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.