Gateway Rehab Hit with Class Action Over 2022 Breach of Private Patient Data

New to ClassAction.org? Read our Newswire Disclaimer

Gateway Rehab faces a proposed class action that claims the Pennsylvania medical center failed to protect patients’ personal health information from a “significant” and “preventable” data breach discovered in June 2022.

According to the 48-page lawsuit, the personally identifiable information (PII) and protected health information (PHI) of roughly 130,000 current and former patients was compromised in the cyberattack that targeted Gateway Rehabilitation Center, who does business as Gateway Rehab. The suit relays that a subsequent investigation determined the stolen data included patients’ “name[s], date[s] of birth, Social Security number[s], driver’s license or state ID number[s], financial account[s] and/or payment card number[s], medical information and health insurance information.”

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The case charges that, as a “massive repository” of personal information and a “particularly lucrative target for data thieves,” the medical center, which provides inpatient and outpatient drug rehab, extended care, withdrawal management, substance abuse support and other programs, “recklessly disregarded” its patients’ privacy rights by failing to safeguard its systems.

The cyberattack was the “inevitable result” of the rehabilitation center’s insufficient data security practices, the lawsuit alleges. The defendant’s apparently “careless” failure to employ up-to-date security systems was, according to the complaint, not only a “[betrayal of] trust” but a major violation of HIPAA, which protects the confidentiality of health-related information.

The case adds that Gateway Rehab also failed to promptly notify patients that their information had been compromised. Per the suit, the medical center discovered the data breach on June 13 of this year and only began sending notices to victims on November 18.

Further, the defendant’s announcement “deliberately underplayed the Breach’s severity and obfuscated the nature of the Breach,” the complaint reads. “Defendant’s notice sent to impacted individuals fails to explain how the breach happened, how many people were impacted, and why the unauthorized party had unfettered access to Plaintiff’s and the Class’s Sensitive Information,” the filing relays.

According to the complaint, healthcare organizations and medical centers had the highest rate of data breaches in 2021. They are considered a “primary target because they sit on a gold mine of sensitive personally identifiable information for thousands of patients at any given time,” the suit notes.

The case charges that by collecting and storing patients’ personal and medical information, Gateway Rehab should have understood the significant risk of a data breach and that it had an obligation to uphold strict security standards.

Since the cyberattack, the plaintiff, a Pennsylvania resident and former patient at Gateway Rehab, claims to have received a “substantial number of spam emails and phone calls,” which he believes are directly linked to the data breach, the filing says.

The complaint contends that the rehabilitation center behaved “wantonly, maliciously, and outrageously” and put thousands of patients in danger of identity theft and other personal injury for the rest of their lives.

The lawsuit looks to represent anyone in the United States who received notice from Gateway Rehab that they were affected by the data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.