napa valley data breach

Alliance Physical Therapy Group Reports Data Breach

‣ Medical, Financial Information May Be At Risk
‣ California Class Action Investigation

On June 10, 2022, Alliance Physical Therapy Group (sometimes referred to as Alliance Physical Therapy Partners or “APTG”), a Michigan-based company that oversees a network of physical therapy offices throughout the United States, reported a data breach to the California Attorney General’s Office affecting over 25,000 people nationwide.

The personal information that may have been accessed includes:

  • Full Names
  • Social Security numbers
  • Health insurance information
  • Financial account information
  • Payment card information
  • Employer identification numbers
  • Passport numbers
  • Driver’s license/state identification numbers
  • Medical information
  • Usernames and passwords
  • Electronic signatures

The full text of the APTG Notice of Data Breach can be found here.

More details are included in the company’s public statement, located here. APTG’s public statement disclosed that, on or about December 27, 2021, APTG noticed “suspicious activity” on its network. By January 7, 2022, APTG determined that some personal information may have been accessed without authorization between December 23, 2021 and December 27, 2021.

On February 23, 2022, APTG reported this data breach to the U.S. Department of Health and Human Services as a hacking/IT incident.

APTG HHS entry
(screenshot HHS Office of Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, last accessed June 26, 2022)

At that time, APTG stated that 14,970 people were affected by its data breach, however, on or about June 21, 2022, APTG reported to the Office of the Attorney General for the State of Texas that in Texas alone, 26,851 individuals were actually impacted by this hacking incident.

Texas OAG
(screenshot Texas OAG Data Security Breach Report webpage, last accessed June 26, 2022)

According to the information provided to the Maine State Attorney General’s Office, APTG provided notice to affected individuals on February 23, 2022, the same day the breach was reported to HHS. However, it appears this hacking incident reached more people than APTG originally reported, and more notices may have been received recently for individuals in other states, including California and Texas, approximately six months after Alliance Physical Therapy Partners was hacked.

Special California Laws Protect You From Data Breach Harms

If you are a California resident and received a Notice of Data Breach from APTG you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information.

California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed in ransomware events.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else a court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

Corporations Should Be Held Accountable For Data Breaches

When businesses decide to collect and keep personal data about California individuals, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals. This personal data is incredibly valuable to criminals who want to sell that information on the dark web to identity thieves and other black marketeers.

However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[1]The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[2]

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate is under $20 per record depending on the type of information it contains, according to Privacy Affairs Dark Web Index of 2021.

Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or almost impossible, to change. Thieves may choose to wait years to capitalize on compromised personal data.

The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[3] Once you know your data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.


[1] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[2] Same

[3] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).