Alaska mental health provider Akeela sued for late warning of data breach

Alaska mental health provider Akeela sued for late warning of data breach


Akeela Inc. headquarters in Anchorage. (File/KRBD)

A Washington woman is suing Alaska-based mental health provider Akeela Inc. following a data breach in 2023. The class action lawsuit in federal court says the nonprofit only told former patients last month that their personal information had been stolen.

Akeela has offices in Homer, Kenai and Anchorage. Operations in Ketchikan were suspended over the summer.

When patients are enrolled in one of Akeela's programs, they must provide intake information. As with many healthcare providers, this includes things like birth dates, social security numbers, and diagnosis and treatment information. According to the American Hospital Association, healthcare providers like Akeela are worth a pretty penny to hackers because of the amount of information on their servers.

Current and former patients of Akeela's drug and mental health programs received a letter in late July saying the provider had been the victim of a cyberattack. According to the lawsuit recently filed against the nonprofit, the personal and medical information of over 280,000 patients was stolen.

However, the letter states that the breach occurred around June 2023 – more than a year before patients were notified.

For this reason, a former patient of Akeela who lives in Washington state has sued the organization in a U.S. district court, alleging negligence, breach of contract and invasion of privacy, among other things.

According to the lawsuit, Akeela failed to take reasonable, industry-standard steps to protect patient data. The stolen data now potentially puts patients at risk for identity theft, fraud and other cybercrime for life. And in doing so, the lawsuit says, the mental health provider violated both its trust agreement — by essentially failing to use the money patients paid it to properly protect their identities — and its legal contract with patients.

Akeela's website has a notice of privacy practices for customers that states: “Akeela is required by law to maintain the confidentiality of your health information.”

The law firm that filed the lawsuit did not respond to emails or calls from KRBD about the lawsuit.

Reducing the risk of personal information theft can be costly, often requiring time-consuming and expensive credit monitoring, email accounts and other preventative measures, and the risk of sending more spam texts and emails.

The lawsuit alleges that Akeela could have taken these actions much sooner if it had warned its patients in a timely manner, rather than a year later, and that there have already been reports of patient identity theft and fraud as a result of the breach.

Akeela did not respond to multiple requests for comment via phone or email.