Recently, Alliance Physical Therapy Group, LLC (“APTG”) provided additional details about a previously-announced data breach, explaining that the incident impacted a far greater number of people than initially believed. When APTG originally reported the breach, the company believed that the breach impacted a total of 14,970 individuals. However, based on a June 21, 2022 filing, the company now reports that there were 26,851 people affected in the State of Texas alone. It remains to be seen how many people were impacted nationwide. Alliance Physical Therapy Group also updated the types of data compromised in the breach to include affected parties’ names, Social Security numbers, driver’s license numbers, bank account and credit card numbers, medical information, usernames and passwords, passport numbers, and electronic signatures, among others.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Alliance Physical Therapy data breach, please see our recent piece on the topic here.

More Details About the Recent Update Regarding the Alliance Physical Therapy Data Breach

According to an official notice filed by the company, on around December 27, 2021, Alliance Physical Therapy Group detected suspicious activity on its IT systems. After making this discovery, APTG worked with third-party cybersecurity experts to investigate the incident.

On January 7, 2022, the company’s investigation confirmed that certain personal information stored on the company’s computers was accessible to an unauthorized party between December 23, 2021 and December 27, 2021.

In response, APTG then manually reviewed all data contained on the compromised files to determine which data was impacted and who it belonged to. While this process was underway, APTG provided initial notice of the breach on February 23, 2022.

However, following the release of the initial data breach letters, Alliance Physical Therapy Group continued its review of the data. This process was completed on April 19, 2022, and confirmed that more people were impacted than the company initially believed and that a greater array of data was accessible to the unauthorized party. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number, financial account information, payment card information, medical information, health insurance information, username and password, passport number, employer identification number, and electronic signature.

On June 21, 2022, Alliance Physical Therapy provided an updated notice of the incident and sent out data breach letters to all individuals whose information was compromised.

Alliance Physical Therapy Group, LLC, which is also known by the name Alliance Physical Therapy Partners, is a physical therapy provider based out of Grand Rapids, Michigan. APTG is the seventh-largest physical therapy provider in the United States, with more than 100 outpatient locations nationwide, including in California, Texas, Arizona, New Mexico, Louisiana, Missouri, North Carolina, Pennsylvania, Michigan, New Jersey, and Maine, and Wisconsin. Alliance Physical Therapy Group is also affiliated with Arrow Physical Therapy & Rehabilitation (formerly known as Accelerated Physical Therapy) and Armor Physical Therapy (formerly known as Agility Health Physical Therapy).

When is a Company Financially Liable for a Data Breach?

Under United States data breach and consumer protection laws, a data breach victim can hold a company financially responsible for a breach if they can prove that the company was negligent in how it stored, maintained, or transmitted their data.

In this context, proving a data breach claim requires a victim of the breach to prove that 1.) the company owed them a duty of care, 2.) the company violated the duty owed to the consumer, and 3.) the company’s breach of this duty caused or contributed to the data breach.

Of course, proving a company was liable for a breach is not always straightforward. While it’s generally understood that companies have a duty to all consumers whose information they have access to, disputes most commonly focus on whether the company was negligent and whether the company’s negligence was a “cause” of the victims’ harms.

A few examples of how a company may be negligent in causing a data breach include:

• A company employee does not follow the appropriate procedures when handling consumer data;

• A business fails to implement an adequate data security system or relies on an outdated system;

• A company inadvertently transmits consumer information to an unauthorized party; or

• An employee provides their login credential or consumer information to an unauthorized party following a phishing attempt.

Regarding causation, most data breaches involve the criminal activity of a third party. This opens the door for companies to claim that they should not be liable for a breach because it was “beyond their control.” However, just because a criminal actor breached a company’s system does not mean that the company cannot be held responsible; organizations have a legal duty to implement adequate data security systems to protect consumer data. And whether a company’s data-security measures are sufficient can be called into question.

While state and federal laws allow data breach victims to hold negligent companies accountable after a data breach, these claims are complex. Thus, anyone interested in learning more about data breach claims should consult with a data breach lawyer for assistance.