---
title: Interlock Ransomware Hits Drug and Alcohol Treatment Services in Data Breach Settlement - Capstone Technologies Group
description: Drug and alcohol treatment provider settles data breach litigation following Interlock ransomware attack. Details on healthcare sector exposure and breach…
canonical_url: https://captechgroup.com/threat-intelligence-center/interlock-ransomware-hits-drug-and-alcohol-treatme-9f7b6c
language: en-GB
date: 2026-07-09T12:34:09Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/interlock-ransomware-hits-drug-and-alcohol-treatme-9f7b6c. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
markdown-tokens: 6327
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/interlock-ransomware-hits-drug-and-alcohol-treatme-9f7b6c. Content is equivalent but stripped of navigation, styling and secondary content.
> **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


In October 2024, the **Interlock ransomware group** breached the network of Drug and Alcohol Treatment Services, Inc. (DATS), a Scranton, Pennsylvania addiction treatment provider, and stole 150 GB of data covering both employees and patients. When DATS declined to pay the ransom, the group published the stolen files on its data leak site, exposing the protected health information of **22,215 individuals**. The provider has now agreed to a **$549,000 settlement** to resolve the class action litigation that followed. (Source: [Hipaajournal](https://www.hipaajournal.com/drug-and-alcohol-treatment-services-class-action-data-breach-litigation/ "Source: Hipaajournal"))

What makes this incident different from a routine data breach is the nature of the records involved. The exposed data included names, dates of birth, Social Security numbers, health insurance details, medical billing and claims information, prescription and medication records, and diagnosis and treatment information. For a substance abuse treatment provider, that last category is especially sensitive — a leaked treatment record can reveal that someone sought care for addiction, information many patients never disclose to employers, family, or insurers.

If you run or support a healthcare treatment service, this case illustrates why your sector draws attackers. Behavioral health, addiction, and mental health providers hold data that carries reputational stakes for patients well beyond financial fraud, which raises the pressure to pay a ransom. That same value is why leak-site extortion works: the threat of publication alone can force a settlement.

- **Patient privacy exposure:** Diagnosis and treatment records tie named individuals to addiction care, creating harm that identity monitoring alone cannot undo.
- **Operational continuity:** Ransomware that encrypts clinical and billing systems can interrupt care delivery for populations that depend on consistent treatment.
- **Vulnerable populations:** Patients in recovery face added consequences if their status becomes public, sharpening the legal and ethical exposure for providers.

DATS denies wrongdoing, and the settlement resolves the claims without a trial. The underlying facts — a confirmed intrusion, published patient data, and eight consolidated lawsuits — show what a single ransomware event costs a treatment provider that holds this class of records.

## Why Treatment Services Face Disproportionate Risk

Addiction treatment records carry a level of sensitivity that goes beyond most healthcare data. When your patient files include diagnosis, prescription, and treatment information tied to substance use, exposure can affect employment, custody disputes, insurance eligibility, and personal relationships. That sensitivity is exactly why 22,215 affected individuals produced eight separate lawsuits and a $549,000 settlement, rather than a quiet notification and a credit-monitoring offer.

Federal law adds a second layer of exposure that general hospitals don't face. Substance use disorder records are protected under **42 CFR Part 2**, a confidentiality rule that sits on top of HIPAA and restricts disclosure of treatment information more tightly than ordinary PHI. If you run a treatment facility, a breach doesn't just trigger HHS Office for Civil Rights scrutiny — it can put your Part 2 compliance, your state licensing, and your accreditation standing all in question at the same time.

The operational side is where treatment centers differ most from a typical clinic. Your day runs on medication-assisted treatment schedules, counseling appointments, and intake workflows that depend on accessible patient records. When ransomware locks those systems, dosing schedules and continuity of care are directly affected — this is a patient population for whom an interruption in treatment carries real clinical consequences.

Here is why that risk lands harder on providers in this sector:

- **Small IT budgets.** Many addiction treatment providers operate as non-profits, funding care through grants and reimbursement rather than large capital reserves. Dedicated security staff and modern endpoint monitoring often lose out to direct patient services.
- **Legacy and consolidated systems.** Billing, claims, prescription, and diagnosis data frequently sit on the same aging network, so a single point of unauthorized access exposes the full range of records at once.
- **Staffing constraints.** Clinical teams stretched across intake, counseling, and case management rarely have capacity to run security awareness training or respond quickly when something looks wrong.

The financial math compounds these structural weaknesses. A $549,000 settlement fund is a serious figure for a non-profit provider, and that number sits on top of forensic investigation costs, notification expenses, credit and medical-data monitoring for affected people, and the legal fees on both sides. For an organization already funding care on thin margins, absorbing that is a direct hit to patient services.

> The maximum documented-loss reimbursement is $5,000 per class member, with remaining funds distributed pro rata based on how many valid claims arrive — meaning the per-person payout shrinks as participation grows.

Reputational harm is the piece you cannot settle out. Treatment relationships depend on patients believing their disclosures stay private. When someone learns their diagnosis and treatment history appeared on a leak site, the willingness to seek or continue care erodes — and for a facility whose entire model rests on confidential participation, that reluctance affects both current patients and future referrals.

There's also a compliance timing problem that surfaced in this case. Notification letters reached affected individuals well after the breach was confirmed, and that delay became a central claim in the litigation. For your organization, a slow disclosure doesn't just draw regulatory attention — it becomes evidence that plaintiffs use to argue you deprived people of the chance to protect themselves.

## Interlock Attack Chain and Operational Tactics

The **Interlock ransomware group** gained access to the DATS network between October 5 and October 6, 2024, according to the forensic investigation. DATS identified the unauthorized access on October 6, meaning the intrusion window between confirmed entry and detection was brief. That said, a short detection window does not equal limited impact: the group claims it exfiltrated 150 GB of data covering both employees and patients before deploying encryption.

The source material does not identify the specific initial access vector, so security teams should treat the entry point as unconfirmed rather than assume a particular method. What is documented is the outcome — an unauthorized third party reached protected health information, financial data, and Social Security numbers across the environment. For a treatment provider, that scope suggests the actor reached both clinical record systems and administrative or billing systems rather than a single isolated host.

Interlock operates on a double-extortion model, which the DATS incident demonstrates directly. The group stole data first, then encrypted systems, then demanded payment. When DATS declined to pay, Interlock published the files on its data leak site.

The ransom was not paid, so the group published the stolen data on its data leak site. The group claims the leaked files include the personal data of employees and patients.

This sequence matters for triage. By the time an organization sees encrypted files and a ransom demand, the exfiltration has already happened. The encryption is the visible event; the data theft is the one that drives the litigation and regulatory exposure that followed here — eight lawsuits and a $549,000 settlement fund.

The source does not publish specific indicators of compromise for this incident — no IP addresses, C2 domains, file extensions, registry keys, or ransom note filenames are stated. Threat hunters should not treat any specific artifact as confirmed for this case based on the article alone. Interlock as a group has been active against healthcare and other sectors, so hunting should rely on current Interlock IOC feeds from your threat intelligence sources rather than details invented for this write-up.

What the DATS timeline does reveal is a gap between technical events and organizational response. Consider the confirmed sequence:

- **October 5–6, 2024** — unauthorized access confirmed by forensic investigation, followed by detection on October 6.
- **December 5, 2024** — DATS formally confirmed the data breach, roughly two months after detection.
- **May 2, 2025** — notification letters sent to affected individuals, about seven months after the intrusion.

The plaintiffs specifically cited this delay, arguing the seven-month gap deprived them of the chance to act on the exposure. For security teams, the operational lesson is that Interlock's speed on the attack side — a same-day access-to-detection window — was not matched by the organization's speed on the disclosure side.

Attribution here is straightforward compared to many incidents. Interlock publicly claimed responsibility rather than the actor being inferred, and the group's own data leak site served as confirmation of both the theft and the failed ransom negotiation. When a group self-attributes and publishes, it removes ambiguity about whether data left the building — the answer is yes, and it is now public.

For teams performing triage on a suspected Interlock intrusion, the takeaway from this case is scope discipline. Assume exfiltration has occurred before encryption is visible, and scope the investigation across clinical, billing, and HR systems rather than the first host that alerts.

## Immediate Detection and Response Actions

The most useful first move if you operate a treatment facility is to preserve your logs before anything overwrites them. Interlock's intrusion at DATS spanned roughly a day between confirmed entry and detection, which means the evidence that matters most sits in a narrow window that log rotation can erase quickly.

### Identify and Contain (First 24 Hours)

If you suspect an active intrusion, disconnect affected hosts from the network rather than powering them off. A clean shutdown destroys volatile memory that often holds the clearest signs of an encryptor staging or credential theft.

- **Isolate the affected systems** at the switch or by pulling network cables; keep them powered so memory-resident artifacts survive.
- **Snapshot and back up logs immediately** — domain controller security logs, firewall logs, and any RDP/VPN authentication records — to write-once or offline storage before rotation overwrites them.
- **Notify your legal and compliance leads the same day.** The DATS timeline shows why: notification letters went out roughly seven months after the incident, and that delay became a central claim in the litigation.

For a small IT team, the priority order is contain, preserve, notify. Getting counsel and your HIPAA compliance officer involved on day one protects the notification clock under the HIPAA Breach Notification Rule and 42 CFR Part 2.

### Protect Access Paths (Week 1)

Interlock groups commonly reach networks through exposed remote access, so your first protective step is auditing every path into the environment. Pull the authentication history for RDP, VPN, and any remote management tools your facility uses.

- Review remote access logs for logins outside normal hours, from unfamiliar IP addresses, or against service accounts that should never log in interactively.
- Force password resets on any account showing suspicious activity, and disable dormant accounts you find along the way.
- Enforce MFA on VPN, remote desktop gateways, and administrative accounts — the paths attackers use to move once inside.

**Adlumin** monitors authentication patterns and flags login anomalies that point to stolen credentials, catching the lateral movement stage before an encryptor deploys — in environments Capstone manages, that identity telemetry surfaces off-hours administrative logins that a small team would otherwise miss.

### Detect Lateral Movement and Encryptor Staging

After initial access, ransomware operators move between systems and stage tools before encryption. Check for the artifacts that betray that activity: newly created local admin accounts, unexpected scheduled tasks, and the use of legitimate administrative tools like PsExec or WMI to reach other hosts.

Review your backup infrastructure specifically. Attackers routinely delete Volume Shadow Copies and target backup connectors before encrypting, because that removes your ability to recover without paying.

Watch outbound traffic for large data transfers to unfamiliar destinations. Exfiltration of the volume claimed here leaves a signature in your firewall and proxy logs if you know to look for sustained outbound flows.

### Recover and Harden (Ongoing)

Keep tested, offline backups that ransomware operators cannot reach from a compromised domain account. **N-able Cove** maintains cloud-isolated backup copies that survive Volume Shadow Copy deletion, so recovery does not depend on the same infrastructure an attacker just encrypted.

- Segment your network so that patient records, billing systems, and administrative workstations sit in separate zones — a compromise in one area should not reach all 22,215 patient records.
- Deploy [endpoint detection](https://captechgroup.com/services/cybersecurity-services "Cybersecurity Services | Protect Your Business with Capstone Technologies") that flags process tampering and encryptor behavior rather than relying on signature-based antivirus alone.
- Test your restore process on a schedule, not just your backup process; a backup you have never restored is an assumption, not a recovery plan.

A small healthcare IT team can execute the containment and log-preservation steps without outside help. The detection and hardening work benefits from managed monitoring, but the day-one actions — isolate, preserve, notify — are yours to own.

## Compliance and Reporting Obligations for Treatment Centers

The clock that matters most in a breach like this starts the moment you confirm patient PHI was accessed. Under the **HIPAA Breach Notification Rule**, you have no more than 60 calendar days from discovery to notify affected individuals when unsecured protected health information is exposed. That window applies to the mailing of individual notices, not to when you feel ready to explain what happened.

DATS confirmed its breach on December 5, 2024, but notification letters did not go out until May 2, 2025. That gap sits at the center of the plaintiffs' claims, and it illustrates a specific compliance exposure: a delay of several months past the confirmation date is exactly the kind of fact that turns a notification obligation into litigation leverage.

Your obligations do not stop at patients. Depending on the size of the affected population, you owe reporting to **HHS' Office for Civil Rights**, and for breaches affecting 500 or more individuals, you must notify prominent media outlets in the affected geographic area within the same 60-day window. With 22,215 individuals involved, DATS crossed that threshold, which is why the incident appears on the OCR breach portal in the first place.

Treatment centers carry a layer that general providers do not. Beyond federal rules, many states impose their own data-breach notification statutes with their own timelines, and state licensing boards that oversee behavioral health facilities can require separate incident reporting. If you operate in multiple states, you may face several overlapping notification deadlines from a single event, each with its own trigger and its own penalty for missing it.

The financial exposure here is concrete. OCR penalties for HIPAA violations run in tiers based on culpability, and a documented notification delay pushes an incident toward the higher end of that range. Layer on the civil litigation, and the direct costs stack:

- **Regulatory fines** from OCR and, potentially, state attorneys general pursuing their own breach-notification enforcement.
- **Class action settlement funds** — in this case $549,000, covering documented losses up to $5,000 per class member, pro rata cash payments, and a 12-month medical data monitoring membership for claimants.
- **License consequences**, where a state behavioral health board can suspend or condition your operating license if it finds reporting or safeguard failures.

The ransom question shapes what comes next. DATS did not pay, and the attackers published the stolen files rather than keeping them private. That refusal-to-pay outcome is common in healthcare, and it carries a specific consequence for your compliance posture: once data is on a public leak site, you cannot argue that exposure was contained or theoretical. Published data removes any low-probability-of-compromise defense that might otherwise limit your notification duties.

For a treatment center, the reputational cost runs alongside the legal one. Patients who sought care for substance use disorder chose your facility partly on the expectation of confidentiality, and a public settlement announcement puts that failure on the record. When a court schedules a final fairness hearing — here, November 24, 2026 — the settlement, the affected count, and the notification delay all become part of the permanent public docket that referral partners and prospective patients can find.

## Reducing Exposure in Resource-Constrained Environments

The single most effective place to spend limited hardening time is your internet-facing systems. Attackers reach treatment networks through exposed remote access before they touch anything internal, so patching those systems first gives you the largest reduction in risk per hour of staff effort.

You do not need an enterprise patch platform to do this well. Build a simple, written schedule that treats externally reachable systems differently from internal ones. VPN concentrators, remote desktop gateways, firewalls, and web-facing servers get patched on a short cycle; internal workstations can follow a slower monthly rhythm. Document what you patched and when, because that record is also what regulators and plaintiffs' attorneys ask for after an incident.

Access control is the next priority, and it costs little beyond configuration time. Enforce these across every account that can reach your network from outside:

- **Require MFA on all VPN and RDP access.** Remote access with a password alone is the most common route into small healthcare networks. Multi-factor authentication blocks the reuse of stolen or guessed credentials.
- **Disable or restrict RDP exposed directly to the internet.** If clinical staff need remote access, route it through a VPN with MFA rather than opening the protocol to the open internet.
- **Enforce a length-based password policy** and disable dormant accounts, including those belonging to former employees and departed contractors.

Adlumin monitors authentication patterns across managed environments, flagging login anomalies such as impossible-travel sign-ins or repeated failures against remote access, which are the early signs of stolen credentials being tested against your VPN.

Backups are what determine whether a ransomware event is a bad week or a permanent loss of patient records. Keep at least one copy of your data offline or in an account attackers cannot reach with the same credentials they used to enter the network.

The Interlock incident produced no ransom payment and a full data leak — recovery in that situation depends entirely on having your own restorable copy, not on the attacker's cooperation.

Test your restore process on a schedule. A backup you have never recovered from is an assumption, not a plan, and the first time you learn a backup is corrupt should not be during an active incident. Confirm that the restored data is usable and that recovery fits within a timeframe your clinical operations can tolerate.

Staff training rounds out the low-cost work. Short, regular phishing-recognition sessions cost little and address one of the most common initial access routes for small organizations. Focus on the realistic scenarios your staff face: fake invoice or benefits emails, urgent messages that appear to come from leadership, and links asking for credential re-entry.

You are not expected to build all of this alone. Several no-cost resources exist for exactly this constraint:

- **Health-ISAC** shares sector-specific threat information among healthcare organizations, including indicators tied to groups actively targeting providers.
- **CISA advisories and the free StopRansomware resources** publish plain-language guidance and known exploited vulnerability lists you can map against your own systems.
- **A managed security services partnership** can cover monitoring and patch verification you cannot staff internally, which is often more sustainable for a small team than buying tools no one has time to run.

Start with the internet-facing patch schedule and MFA on remote access, confirm your offline backup restores cleanly, then add training and outside partnerships as capacity allows. These steps are maintainable by a small IT team and address the access routes seen in provider breaches.

## Key Takeaway: Act on Access Control and Backups

The $549,000 settlement reached in *Leo Woytach, et al v. Drug and Alcohol Treatment Services, Inc.* reflects the cost of resolving litigation after a ransomware group publishes stolen files rather than the cost of preventing the incident. For treatment providers watching this case, the practical lesson sits in two controls that shape whether an intrusion becomes a recoverable event or a reportable breach.

The first is **controlling how remote access reaches your network**. Ransomware operators routinely enter through exposed remote desktop and VPN endpoints, then use valid credentials to move deeper. Restricting those services to known IP ranges and requiring multi-factor authentication on every remote login closes the entry path that carried the initial access in cases like this one.

The second is **maintaining offline, tested backups**. When a group encrypts systems and threatens to publish exfiltrated data, an organization with recoverable copies can restore operations without funding the attacker. The distinction matters here because the ransom went unpaid and the stolen files were published anyway. Backups you can actually restore determine whether you keep running while that plays out.

That short window shows how little time separates entry from impact, which is why these two controls carry so much weight relative to the effort they require.

Audit your access logs and your backup restoration status this week. Confirm that remote access is limited and MFA-protected, and confirm that your most recent backup restores cleanly.

<!-- AI:SCHEMA: Schema.org description of canonical page in JSON-LD format -->
<!-- AI:SCHEMA:BEGIN format=jsonld scope=page -->

```json
{
    "@context": "http://schema.org",
    "@graph": [
        {
            "@type": "Article",
            "author": {
                "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
            },
            "dateModified": "2026-07-09T12:34:09Z",
            "datePublished": "2026-07-09T12:34:09Z",
            "description": "Drug and alcohol treatment provider settles data breach litigation following Interlock ransomware attack. Details on healthcare sector exposure and breach…",
            "headline": "Interlock Ransomware Hits Drug and Alcohol Treatment Services in Data Breach Settlement",
            "image": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "inLanguage": "en-GB",
            "mainEntityOfPage": {
                "@type": "WebPage",
                "url": "https://captechgroup.com/threat-intelligence-center/interlock-ransomware-hits-drug-and-alcohol-treatme-9f7b6c"
            },
            "publisher": {
                "@id": "https://captechgroup.com/#defaultPublisher"
            },
            "url": "https://captechgroup.com/threat-intelligence-center/interlock-ransomware-hits-drug-and-alcohol-treatme-9f7b6c"
        },
        {
            "@type": "Person",
            "name": "Brian",
            "@id": "https://captechgroup.com/#brian_0fd5dfcdbc"
        },
        {
            "@id": "https://captechgroup.com/#defaultLogo",
            "@type": "ImageObject",
            "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg",
            "width": 1300,
            "height": 300
        },
        {
            "@id": "https://captechgroup.com/#defaultPublisher",
            "@type": "Organization",
            "url": "https://captechgroup.com/",
            "logo": {
                "@id": "https://captechgroup.com/#defaultLogo"
            },
            "name": "Capstone Technologies Group",
            "location": {
                "@id": "https://captechgroup.com/#defaultPlace"
            }
        },
        {
            "@id": "https://captechgroup.com/#defaultPlace",
            "@type": "Place",
            "address": {
                "@id": "https://captechgroup.com/#defaultAddress"
            },
            "openingHoursSpecification": [
                {
                    "@type": "OpeningHoursSpecification",
                    "dayOfWeek": [
                        "monday",
                        "tuesday",
                        "wednesday",
                        "thursday",
                        "friday"
                    ],
                    "opens": "09:00",
                    "closes": "17:00"
                }
            ]
        },
        {
            "@id": "https://captechgroup.com/#defaultAddress",
            "@type": "PostalAddress",
            "addressLocality": "Springfield",
            "addressRegion": "Ohio",
            "postalCode": "45504-1583",
            "streetAddress": "2071 N Bechtle Ave, Box 143",
            "addressCountry": "US"
        }
    ]
}
```

<!-- AI:SCHEMA:END -->

