Rehab center hit with hack, subsequent lawsuit

PITTSBURGH — A major nonprofit health care provider has been impacted by a cyber incident and is now facing a subsequent lawsuit.

Gateway Rehabilitation Center reported the incident to the U.S. Department of Health and Human Services on November 18, noting that 130,000 people were impacted.

A letter sent to patients that same day states that the rehab center “experienced an incident disrupting access” to its systems. The letter claimed the company has “no evidence that any of the potentially impacted information has been misused.”

A proposed class-action lawsuit filed this week in federal court, however, claims that Gateway had “inadequate data security” and thus enabled sensitive information to be “accessed by hackers, posted on the dark web, and exposed to an untold number of unauthorized individuals.”

The suit, filed on behalf of a patient, references a report that claims a hacker group leaked data containing sensitive information onto a ransomware website on the dark web. The data, the suit notes, contained “personal information on patients, such as their arrest records and history of behavior and substance-related issues.” The document further alleges that Social Security numbers, birth dates, financial account and payment card information, and driver’s license numbers were also “implicated” in the breach, putting people at risk “that may last for the rest of their lives.”

Download the FREE WPXI News app for breaking news alerts.

The suit further accuses Gateway of failing to inform patients soon enough of the incident and requests a jury trial to determine damages.

A Gateway spokesperson declined to comment on the lawsuit, but offered the following statement regarding the security incident:

“At the time of discovering a possible incident, we took immediate steps including, but not limited to, working closely with independent digital forensics and incident response experts. Since the investigation confirmed a data security incident, we have been following all necessary protocols and provided notification to all potentially impacted. It is terrible that these malicious attacks are becoming more common across all sectors. We will continue to do what we can to support anyone affected by this particular incident involving our data. We have established a helpline to answer questions and address concerns. Call center information is available on our website or by contacting Gateway Rehab at 412-604-8900.”

The law firm representing the plaintiff declined to comment on the suit.

Follow Channel 11 News on Facebook and Twitter. | Watch WPXI NOW

Jim Van Dyke, a cybersecurity expert who has served as an expert witness in data breach cases, told Channel 11 that generally, “there is standing for identity holders to show damage, because we successfully have been able to document that identity holders are at increased individual risk of identity crimes.” He said people are particularly vulnerable to crimes when “permanent” records are exposed, like a Social Security number, as opposed to a password or even a credit card number.

Van Dyke is an executive at Sontiq, a TransUnion Company, which tracks and ranks data breaches. He said the Gateway breach is “significant” considering the information that was exposed. He said that hackers could commit fraud to existing bank or credit accounts and could even open new accounts with the name of a victim.

“These people are at greater risk and they need to take action,” he said, suggesting that people carefully monitor their accounts and carefully follow the steps outlined within legitimate warning letters.

Van Dyke said that health care institutions are increasingly being attacked by these sorts of cyber incidents.

Ukraine native living in Pittsburgh going home to deliver life-saving supplies, help people escape

©2022 Cox Media Group