On October 22, 2021, Mason Lietz & Klinger LLP filed a class action against Horizon House, a Philadelphia-based mental health treatment center and service provider. The Complaint alleges that a data breach exposed tens of thousands of current and former employees and patients’ personal information.
Former employee Joseph Jones said Horizon House Inc., which provides behavioral health, disability and homeless services, had collected private information such as Social Security numbers and driver’s license numbers from patients and employees, and that information was stolen when scammers gained access to the company’s computer systems for several days in March 2021. The company did not notify the people whose information was stolen until September, the suit said.
“As a result of the data breach, plaintiff and approximately 27,823 class members suffered present injury and damages in the form of identity theft, the loss of the benefit of their bargain, out-of-pocket expenses and the value of the time reasonably incurred to remedy or mitigate the effects of the unauthorized access, exfiltration, and subsequent criminal misuse of their sensitive and highly personal information,” the complaint filed Friday in the Philadelphia Court of Common Pleas said. “Plaintiff’s and class members’ identities are now at considerable risk because of defendant’s negligent conduct since the private information that Horizon House collected and maintained is now in the hands of data thieves.”
Jones seeks to represent all patients and employees whose data was stolen in the breach, and made claims of negligence, breach of implied contract, unjust enrichment and breach of privacy. The proposed class seeks damages for any losses or expenses incurred due to identity theft, along with free credit monitoring and a court order that Horizon House take steps to improve its information security.
Jones had been a Horizon House counselor for about a year from 2017 to 2018. In mid-September 2021, he and others got notice from Horizon House about a data breach.
Horizon House said in the notice that it had discovered March 5 that someone outside the company had gained access to its computer system starting sometime around March 2, and had “potentially viewed or taken” people’s private information from the system. Though the notice did not specify the type of attack that had occurred, Jones’s complaint characterized it as a “targeted email phishing attack.”
The potentially stolen information included patients’ and employees’ full names, addresses, Social Security numbers, driver’s license numbers, state identification numbers, employment passport numbers, and medical information, the suit said.
The complaint details the ways in which bad actors could purchase stolen information on the web and use it, such as filing fraudulent claims for unemployment benefits, opening bank accounts or lines of credit, and filing false tax returns. Scammers could also exploit the stolen data to trick victims into revealing additional information, the suit said.
“After and as a result of the data breach, plaintiff Jones has experienced a substantial increase in suspicious scam phone calls, emails, texts, all of which appear to be placed with the intent to obtain personal information to commit identity theft by way of a social engineering attack,” the complaint said.
Jones’s complaint said Horizon House should have known the data it collected was at significant risk, both because of its value to hackers and the rate at which hospitals and medical providers are targeted for such data thefts.
“Hospitals have emerged as a primary target because they sit on a gold mine of sensitive personally identifiable information for thousands of patients at any given time,” the complaint said. “From Social Security and insurance policies, to next of kin and credit cards, no other organization, including credit bureaus, have so much monetizable information stored in their data centers.”
Jones claims that the company violated numerous best practices and laws, including its common-law duty to protect private information it collected, the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act.
“Defendant had obligations created by HIPAA, the employer-employee relationship, contract, industry standards, common law, and its own promises and representations made to plaintiff and class members to keep their private information confidential and to protect it from unauthorized access and disclosure,” the complaint said. “As the result of allowing its computer systems to fall into dire need of security upgrading and its inadequate procedures for handling cybersecurity threats, defendant negligently and unlawfully failed to safeguard plaintiff’s and the class members’ private information.”
The case is Jones v. Horizon House Inc., Case Number 211001767, in the Court of Common Pleas for Philadelphia, Pennsylvania.
