Akeela faces legal action for alleged negligence in handling patient data

A Washington woman has filed a lawsuit against Akeela Inc., an Alaska-based behavioral health provider, following a 2023 data breach that exposed the personal and medical information of over 280,000 patients. The legal action was initiated after the nonprofit’s delayed notification to affected individuals, claims negligence, breach of contract, and invasion of privacy, among other allegations.

Akeela Inc., which operates facilities in Homer, Kenai, and Anchorage and recently closed its Ketchikan operations, reportedly experienced a cyberattack in June 2023. However, it wasn’t until July 2024 that current and former patients were informed of the breach. The lawsuit contends that this delay significantly increased the risk of identity theft, fraud, and other cybercrimes for those affected.

The compromised data includes sensitive information typically collected during patient intake, such as dates of birth, Social Security numbers, and diagnostic and treatment records. The American Hospital Association has noted that healthcare providers, like Akeela, are particularly lucrative targets for hackers due to the wealth of valuable information stored on their servers.

The plaintiff, a former Akeela patient from Washington state, argues that the organization failed to implement industry-standard security measures to protect patient data. The lawsuit asserts that Akeela’s inadequate data protection measures breached fiduciary and legal patient contracts. Specifically, the complaint highlights Akeela’s failure to allocate sufficient resources to safeguard patient identities despite the financial compensation they received.

Akeela’s Notice of Client Privacy Practices, available on their website, states that the organization is “required by law to maintain the privacy of your health information.” The lawsuit contends that Akeela’s actions—or lack thereof—violated this commitment.

The delayed notification of the breach has potentially compounded the financial and emotional toll on affected individuals. Victims may need to invest in credit monitoring, email security, and other preventive measures to mitigate the risk of identity theft and fraud. The lawsuit points out that earlier notification could have allowed patients to take protective actions much sooner, possibly preventing some of the reported cases of identity theft and fraud already linked to the breach.

Akeela Inc. has not responded to multiple requests for comment regarding the lawsuit. Additionally, the law firm representing the plaintiff in the class-action suit has remained unavailable for comment.