Active breach tracker Scranton, PA Disclosed April 24, 2025

Drug and Alcohol Treatment Services (DATS) Data Breach 2025 (Interlock Ransomware): 22,215 Pennsylvania SUD Patients Exposed. 42 CFR Part 2 Records in Scope. Eight+ Class Actions Consolidated. What To Do

Drug and Alcohol Treatment Services, Inc. (DATS), a Scranton, PA outpatient addiction-treatment provider, disclosed an October 2024 Interlock ransomware intrusion that exposed names, Social Security numbers, dates of birth, diagnoses, medications, doctor names, and treatment records of 22,215 patients. Filed with HHS OCR on April 24, 2025. Eight-plus class actions consolidated as Woytach v. DATS in Lackawanna County. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 5, 2024

Unauthorized access window begins (network server)

Oct 6, 2024

Unusual activity detected on the DATS network

Dec 5, 2024

Forensic investigation confirms third-party access to PHI

Apr 24, 2025

HIPAA breach reported to HHS Office for Civil Rights (22,215 affected)

May 2, 2025

Individual notification letters mailed; state AG filings begin (ME, MA, NH, TX, CA, others)

May 2, 2025

First class actions filed in the Court of Common Pleas of Lackawanna County

Sep 4, 2025

Court consolidates 8+ class actions as Woytach v. DATS, No. 25-CV-3681; Shub Johns & Holbrook appointed Interim Co-Lead Counsel

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Date of birth Government ID

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information Medication information

03

Contact & insurance

Phishing + targeted scams

Full name Home address Treating physician / doctor names Health insurance information Patient account numbers Medical claims and billing information Financial information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shub Johns & Holbrook LLP (Interim Co-Lead Counsel, Samantha Holbrook) Strauss Borrelli PLLC (investigating / filed) Federman & Sherwood (investigating) Arnold Law Firm (investigating) Morgan & Morgan (investigating) Schubert Jonckheer & Kolbe LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Drug and Alcohol Treatment Services, Inc. (DATS) is a Pennsylvania nonprofit outpatient addiction-treatment provider headquartered at 441 Wyoming Avenue, Scranton, in Lackawanna County. DATS delivers drug and alcohol treatment services to adolescents and adults, which means its patient records are federally assisted substance-use-disorder (SUD) treatment records subject to 42 CFR Part 2 in addition to HIPAA.

On October 6, 2024, DATS detected unauthorized activity on its computer network. A forensic investigation confirmed that an unauthorized third party had access to systems on October 5 and 6, 2024, and on December 5, 2024 confirmed that the threat actor had accessed and exfiltrated files containing protected health information. DATS reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights on April 24, 2025, listing 22,215 affected individuals in a Hacking/IT Incident at a network server. Individual notification letters were mailed beginning May 2, 2025, roughly seven months after the intrusion was detected — a delay that became a central allegation in the class actions that followed.

The attack has been publicly attributed to the Interlock ransomware group, which posted DATS to its dark-web leak site and claimed approximately 150 GB of exfiltrated data.

Timeline

  • October 5 to 6, 2024. Unauthorized access to the DATS network; activity detected October 6.
  • December 5, 2024. Forensic review confirms protected health information was accessed and copied.
  • April 24, 2025. HIPAA breach notification filed with HHS OCR (22,215 individuals, Network Server).
  • May 2, 2025. Individual notification letters mailed. State AG filings submitted to Maine, Massachusetts, New Hampshire, Texas, California, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Vermont, and Washington.
  • May 2025 through August 2025. At least eight putative class actions filed in the Court of Common Pleas of Lackawanna County.
  • September 4, 2025. The court consolidates the actions as Woytach v. Drug and Alcohol Treatment Services, Inc., No. 25-CV-3681, and appoints Samantha Holbrook of Shub Johns & Holbrook LLP as Interim Co-Lead Counsel for plaintiffs.

What was exposed

Per the DATS notice of security incident and corroborating coverage, the affected data set includes:

  • Full name, date of birth, home address
  • Social Security number and government ID
  • Health insurance information and patient account numbers
  • Medical diagnosis and treatment information
  • Medication information
  • Treating physician / doctor names
  • Medical claims and billing information
  • Financial information

Sensitive population: SUD treatment under 42 CFR Part 2

Because DATS is a federally assisted SUD treatment program, the affected records receive heightened protection under 42 CFR Part 2 in addition to HIPAA. Part 2 imposes substantially stricter rules on redisclosure of substance-use treatment information than HIPAA does, and the diagnoses, medication names, and treatment dates exposed here — methadone or buprenorphine prescriptions, intensive-outpatient placement, alcohol-use disorder diagnoses — are exactly the kinds of records Part 2 was written to keep out of employment, housing, custody, and insurance contexts. The HHS Part 2 enforcement program took effect February 16, 2026, placing this incident in the first cohort subject to combined HIPAA and Part 2 enforcement scrutiny.

What DATS is offering

  • Complimentary credit monitoring and identity-theft protection services (provider and duration not specified in the public notice).
  • Dedicated assistance line: 1-833-799-4385 (Monday through Friday, 8 a.m. to 8 p.m. Eastern).
  • Online notice posted at datsrecovery.org/notice-of-security-incident.

If you received a letter, check it for the specific monitoring provider, enrollment code, and deadline — the public notice page does not list those details.

Class-action status

At least eight class actions were filed against DATS in the Court of Common Pleas of Lackawanna County between May and August 2025. On September 4, 2025, the court granted plaintiffs’ motion to consolidate the cases under the lead caption Woytach v. Drug and Alcohol Treatment Services, Inc., No. 25-CV-3681, and appointed Samantha Holbrook of Shub Johns & Holbrook LLP as Interim Co-Lead Counsel. The complaints allege negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment, focused on the seven-month gap between intrusion detection in October 2024 and individual notification in May 2025, and on the SUD-specific sensitivity of the exposed records.

Additional firms publicly investigating include Strauss Borrelli PLLC, Federman & Sherwood, Arnold Law Firm, Morgan & Morgan, and others.

What to do if you may be affected

  1. Enroll in the credit monitoring offered in your letter. Use the activation code; the offer has a hard enrollment window.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. Freezes are free, take about ten minutes per bureau, and are the single highest-leverage step against new-account identity theft.
  3. Exercise your 42 CFR Part 2 rights. As a DATS patient, your SUD treatment records receive heightened federal protection. Part 2 gives you stronger redisclosure restrictions than HIPAA alone — important if you ever see your treatment history surface in an employment background check, custody proceeding, or insurance underwriting context.
  4. Watch for tax-refund and Medicaid-billing fraud. Social Security numbers plus health-insurance IDs are the precise combination used for medical-identity theft. File IRS Form 14039 if a fraudulent return is filed in your name.
  5. Preserve your right to join the class action. Keep the DATS notification letter; you may be contacted by class counsel or receive a future claim form.
  6. Stop the ongoing flow of your SUD treatment data. HealthConsent files Part 2 redisclosure restrictions, HIPAA restriction requests, and state-law deletion requests across providers, insurers, and downstream entities so the same record set cannot be exposed twice.

Sources on this page

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.