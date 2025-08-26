Nonprofit behavioral health provider Legacy Treatment Services and its subsidiary, Community Treatment Solutions, are under investigation for a data breach involving nearly 42,000 patient records.

The Hainesport, New Jersey-based provider has nine locations throughout the state. A spokesperson from the New Jersey Cybersecurity and Communications Integration Cell confirmed to Behavioral Health Business that it has received notice of the breach as required by state law.

Legacy Treatment Services reportedly learned of the breach only as of July 18, 2025, yet it occurred between Oct. 6 to Oct. 11, 2024 – nine months prior – according to a data breach report filed with the Maine Attorney General’s Office. Only two Maine residents were impacted.

Executives from the company did not respond to Behavioral Health Business’ request for comment.

The organization began notifying the 41,826 affected patients as of Aug. 20.

“Upon learning of this issue, we immediately commenced a prompt and thorough investigation,” Legacy Treatment Services wrote in a letter dated Aug. 20, 2025. “We also notified law enforcement. As part of our investigation, we have been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on July 18, 2025 we determined your personal data may have been subject to unauthorized access and acquisition.”

Two days later, the company published a public notice about the breach on its website, in which it emphasized that it “has no evidence that any personal information has been or will be misused for identity theft as a direct result of this incident.”

The breach included medical diagnosis and clinical treatment information. The compromised information ranges from social security numbers, full names and birthdates, driver’s license and state ID numbers, email addresses, bank names and routing numbers, credit card information, health insurance information and more. That’s according to Edelson Lechtzin LLP, one of several law firms investigating the incident.

Edelson Lechtzin LLP noted that it is “investigating a class action lawsuit to seek legal remedies for individuals whose sensitive personal data may have been compromised” by the breach. BHB reached out to the law firm to confirm what type of legal remedies it is seeking on behalf of affected clients, but did not receive a response.

Legacy Treatment Services noted in its Aug. 22 update that the company did take some systems offline and worked to mitigate the threat once it was aware of the breach, but the full scope of the incident was not realized until July 18, 2025.

The company is cooperating with law enforcement. Details around whether or not Legacy Treatment Services has taken additional steps to invest in more robust security systems or training for its employees are unknown at this time.