Allwell Behavioral Health Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In March 2022, Allwell Behavioral Health Services, a non-profit behavioral health agency operating in southeastern Ohio, experienced a significant data breach. This incident led to unauthorized access to sensitive personal information of its patients and employees, affecting nearly 30,000 individuals. The compromised data included Social Security numbers, names, phone numbers, addresses, dates of birth, treatment activities, provider details, payer information, bank account numbers, and driver’s license numbers[4][5][6].

Following the breach, Allwell Behavioral Health Services faced a class action lawsuit, alleging negligence in failing to protect the sensitive personal information from cybercriminals. The lawsuit contended that Allwell’s alleged negligence allowed cybercriminals to gain access to this sensitive data[1]. In response to the lawsuit, Allwell agreed to a $650,000 settlement to resolve the claims without admitting any wrongdoing. The settlement terms included a $50 flat-rate payment to class members, which could be adjusted based on the number of valid claims. Additionally, class members could claim up to $4,000 for unreimbursed monetary losses related to the breach. The settlement also compensated lost time at a rate of $25 per hour, contributing to the reimbursement cap for monetary losses[1].

To be eligible for the settlement, individuals had to have received a data breach notification from Allwell Behavioral Health regarding the March 2022 data breach. The final approval hearing for the settlement was scheduled for November 9, 2023, with the deadline for submitting a valid claim form by October 11, 2023[1][3].

This data breach and subsequent settlement highlight the growing concerns over data security in the healthcare sector, emphasizing the importance of robust cybersecurity measures to protect sensitive patient information.

Citations:

  1. https://topclassactions.com/lawsuit-settlements/closed-settlements/allwell-behavioral-health-data-breach-650k-class-action-settlement/
  2. https://www.dataguidance.com/news/usa-allwell-notifies-ocr-data-security-incident
  3. https://www.allwelldatasettlement.com
  4. https://www.turkestrauss.com/2022/05/31/allwell-behavioral-health-services-data-breach-investigation/
  5. https://www.beckershospitalreview.com/cybersecurity/ohio-data-breach-affects-nearly-30-000-patients.html
  6. https://www.hipaajournal.com/phi-potentially-compromised-in-security-incidents-at-allwell-behavioral-health-services-and-welldynerx/
  7. https://www.nbc4i.com/news/local-news/the-biggest-healthcare-data-breaches-you-should-know-about-in-ohio/
  8. https://www.zanesvilletimesrecorder.com/story/news/local/2022/05/25/allwell-behavioral-health-services-reports-cybersecurity-incident/9923714002/
  9. https://www.cleveland.com/news/2023/08/these-were-the-10-biggest-healthcare-data-breaches-in-ohio-last-year.html
  10. https://www.doj.nh.gov/consumer/security-breaches/documents/allwell-behavioral-health-20220523.pdf
  11. https://www.jdsupra.com/legalnews/patient-information-including-social-9303700/
  12. https://www.hipaa.info/phi-exposed-in-allwell-behavioral-health-services-and-welldynerx-security-incidents/
  13. https://www.hipaajournal.com/allwell-behavioral-health-settles-data-breach-class-action-for-650000/
Breach Submission Date May 23, 2022
Converted Entity Name Allwell Behavioral Health Services
Converted Entity Type Healthcare Provider
State OH
Individuals Affected 29,972
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes