A Washington woman is suing Alaska-based behavioral health provider Akeela related to a 2023 data breach. The lawsuit claims it wasn’t until last month that the nonprofit told former patients their personal data had been stolen.
Akeela Inc. has facilities in Homer, Kenai, and Anchorage. They shuttered their operations in Ketchikan earlier this summer.
When a patient is admitted to one of Akeela’s programs, they have to provide intake information. Like many healthcare providers, this includes things like date of birth, social security number, and diagnostic and health treatment information. Because of all the information on their servers, the American Hospital Association says medical providers, like Akeela, are worth a pretty penny to hackers.
Current and former patients of Akeela’s substance abuse and mental health programs received a letter in late July saying the provider had been the victim of a cyberattack. According to the recent lawsuit filed against the nonprofit, the personal and medical information of over 280,000 patients was stolen.
The letter says, though, that the breach happened around June of 2023, over a year before that letter went out.
So, a former Akeela patient living in Washington state, is suing the organization. The lawsuit alleges negligence, breach of contract and invasion of privacy, among other things.
According to the lawsuit, Akeela failed to take the proper, industry-standard measures to safeguard their patients’ information. That stolen information now puts them in danger of identity theft, fraud, and further cybercrime, potentially for the rest of their lives. And by doing so, the complaint says, the behavioral health provider has breached both its fiduciary contract – basically, by not using the money patients paid them to adequately protect their identities – and their legal contract with patients.
Akeela has a Notice of Client Privacy Practices on its website that states QUOTE “Akeela is required by law to maintain the privacy of your health information.” UNQUOTE
The law firm that filed the class-action suit on behalf of the plaintiff didn’t return KRBD’s emails or phone calls about the lawsuit.
It can be costly to mitigate the risk of having one’s personal data stolen. It often requires time and money put into credit monitoring, email accounts, and other preventative measures. Plus, there’s the possibility of more spam texts and emails.
The lawsuit claims that if Akeela had alerted their patients in a timely manner – not a year later – they could’ve gotten a jump on those measures a lot sooner. It goes on to say that there have already been reports of identity theft and fraud among patients as a result of the breach.
Akeela has not responded to multiple phone or email requests for comment.