Allwell Behavioral Health Services, an Ohio-based mental healthcare provider, recently confirmed a data breach after an unauthorized person was able to access the company’s computer network. According to Allwell, the breach resulted in the following patient information being compromised: names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information. On May 23, 2022, Allwell provided notice of the breach to all affected parties by sending out data breach notification letters.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Allwell Behavioral Health Services data breach, please see our recent piece on the topic here.
More About the Allwell Behavioral Health Services Data Breach
According to a notice posted on the company’s website, on March 5, 2022, Allwell first learned about a potential data security incident. In response, the company took the necessary steps to secure its computer systems and then enlisted the help of cybersecurity professionals to investigate the incident.
This investigation revealed that on or around March 2, 2022, an unauthorized party accessed the system Allwell uses to store quality assurance information. Further investigation indicated that the unauthorized user also likely downloaded an undetermined number of files containing sensitive patient data.
Upon discovering that sensitive consumer data was compromised, Allwell Behavioral Health Services then reviewed all of the files that were accessible to the unauthorized user to determine which patients were impacted and what information was involved. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, phone number, treatment activity, treatment provider, treatment date, treatment location, and payer information.
On May 23, 2022, Allwell Behavioral Health Services sent out data breach letters to those patients who were impacted by the incident.
What Is Allwell Behavioral Health Services?
Allwell Behavioral Health Services is a private, not-for-profit provider of mental health and behavioral health services. The company is based in Zanesville, Ohio and serves the surrounding area, including patients in Coshocton, Guernsey, Morgan, Muskingum, Noble and Perry counties. Allwell has a staff of approximately 238 employees, including psychiatrists, certified nurse practitioners, psychologists, licensed professional counselors, licensed professional clinical counselors, licensed social workers, and licensed independent social workers. Allwell Behavioral Health Services generates approximately $22 million in annual revenue.
Who Is Responsible for a Data Breach?
Data breaches involve a hacker or some other type of bad actor intentionally bypassing a company’s data security system in an attempt to access consumer data. When it comes to determining liability after a data breach, the hacker or group of hackers that orchestrated the attack is certainly responsible. However, tracking down a hacker after a data breach is challenging. And even if you could find them, it may not be worth pursuing a claim against them because they may not have the assets to satisfy a judgment.
However, when thinking about who is responsible for a data breach, it’s not as easy as placing all the blame on the criminal actor who orchestrated the attack. The company that stored the information may also be responsible. On one hand, those companies that are targeted in a data breach are victims; however, on the other hand, these companies are the first line of defense against cyberattacks and have an important responsibility to protect consumer data from cybercriminals.
Under US data breach laws, companies and organizations that store consumer data actually have a legal obligation to keep this data safe. Thus, organizations that negligently maintain consumer data may be held financially liable after a breach. However, while state and federal laws allow data breach victims to hold negligent companies accountable after a data breach, these claims are complex. Thus, anyone interested in learning more about data breach claims should consult with a data breach lawyer for assistance.
Below is a copy of the initial data breach letter issued by Allwell Behavioral Health Services (the actual notice sent to consumers can be found here. A link to the notice provided on the company’s website can be found here.):