The Pennsylvania-based provider of addiction treatment services has ended years-long litigation stemming from an October 2024 ransomware attack.
What happened
Earlier this month, the addiction service provider agreed to settle the lawsuit Leo Woytach, et al v. Drug and Alcohol Treatment Services, Inc. in the Court of Common Pleas of Lackawanna County, Pennsylvania. The final lawsuit was the result of eight class action lawsuits that were all consolidated, alleging that Drug and Alcohol Treatment Services (DATS) was negligent, breached implied contract, breached fiduciary duty, and more.
The lawsuits stemmed from a ransomware attack in 2024 that exposed approximately 22,215 patients’ personal and protected information, including names, dates of birth, Social Security numbers, health insurance information, medical billing/claims information, patient account numbers, prescription/medication information, and diagnosis/treatment information.
Following mediation, both parties agreed to a settlement to avoid the time, costs, and unknown outcome associated with going to trial.
The backstory
According to a data breach notice issued to the Attorney General of Vermont on May 2nd, 2025, DATS became aware of unusual activity on their network on October 6th, 2024. Through an investigation, they determined that an unauthorized actor had accessed files between October 5th, 2024, and October 6th, 2024.
Although DATS never confirmed, it’s believed that the ransomware group Interlock was responsible for the attack. The group allegedly claimed 150 GB of data was stolen and published on its data leak website, as no ransom was paid. Interlock claimed to have data of both employees and patients.
Going deeper
According to the FBI’s alert on Interlock, where they detail the group's tactics and modus operandi, Interlock was first observed targeting organizations in late September 2024. The group appears to target critical infrastructure, like healthcare organizations, and other businesses in the United States and Europe. The FBI noted they target groups based on opportunity and are financially motivated. They tend to use social engineering tactics to trick organizations into executing malicious programs. They also use a double extortion model, meaning they encrypt data (prevent organizations from accessing their own data) and exfiltrate it, so that organizations feel pressured to pay a ransom to prevent the data from being stolen.
Why it matters
Data related to substance abuse is particularly vulnerable because of the increased stigma associated with substance abuse, as well as the history of criminalization. Substance use can impact someone’s reputation, ability to have gainful employment, and more. In the journal Australas Psychiatry, researchers noted that when data related to psychiatry or substance abuse is stolen, it can subject patients and doctors to “blackmail, fraud, identity theft, and targeted scams. Medical diagnoses of psychiatric illness and substance use disorder may be released in blackmail attempts.”
FAQs
What can victims of double extortion do?
Cybersecurity Infrastructure and Security Agency outlines a thorough guide on how to respond to ransomware attacks, but some of the main components include securing the system, using back-ups, and contacting law enforcement. First, organizations should prioritize locking down and securing their systems, so that no more data is encrypted. If organizations have them, they should use back-up files of data or systems. Breaches should also be reported, and law enforcement agencies may be able to help files get decrypted. Generally, it is not advised for organizations to pay ransoms, but victims will make this final decision with the guidance of law enforcement.
How did a relatively small victim count lead to a large settlement?
Settlements vary greatly depending on the information involved and how the case is presented. The fact that substance use information, which is particularly vulnerable, was stolen, could have played a role. There was also a delay in victims receiving notification. While it’s unclear why exactly some settlements are relatively large and some are relatively small, it’s likely that this case was impacted by the type of data involved alongside other factors, like the breach timeline.
