A Washington woman is suing Alaska-based behavioral health provider Akeela Inc. after a 2023 data breach. The federal class-action lawsuit claims it wasn’t until last month that the nonprofit told former patients their personal data had been stolen.
Akeela has facilities in Homer, Kenai, and Anchorage. It ceased operations in Ketchikan earlier this summer.
When patients are admitted to one of Akeela’s programs, they have to provide intake information. Like many healthcare providers, this includes things like dates of birth, Social Security numbers and diagnostic and health treatment information. Because of all the information on their servers, the American Hospital Association says medical providers like Akeela are worth a pretty penny to hackers.
Current and former patients of Akeela’s substance abuse and mental health programs received a letter in late July saying the provider had been the victim of a cyberattack. According to the recent lawsuit filed against the nonprofit, the personal and medical information of over 280,000 patients was stolen.
But the letter says that the breach happened around June of 2023 — over a year before patients were notified.
As a result, a former Akeela patient living in Washington state is suing the organization in U.S. District Court. The lawsuit alleges negligence, breach of contract and invasion of privacy, among other things.
According to the lawsuit, Akeela failed to take the proper, industry-standard measures to safeguard their patients’ information. That stolen information now puts them in danger of identity theft, fraud, and further cybercrime, potentially for the rest of their lives. And by doing so, the complaint says, the behavioral health provider has breached both its fiduciary contract — basically, by not using the money patients paid them to adequately protect their identities — and its legal contract with patients.
Akeela has a Notice of Client Privacy Practices on its website that states “Akeela is required by law to maintain the privacy of your health information.”
The law firm that filed the suit didn’t return KRBD’s emails or phone calls about the lawsuit.
It can be costly to mitigate the risk of having one’s personal data stolen. It often requires time and money put into credit monitoring, email accounts, and other preventative measures. Plus, there’s the possibility of more spam texts and emails.
The lawsuit claims that if Akeela had alerted their patients in a timely manner — not a year later — they could’ve gotten a jump on those measures a lot sooner. It goes on to say that there have already been reports of identity theft and fraud among patients as a result of the breach.
Akeela has not responded to multiple phone or email requests for comment.