Legacy Treatment Services and its subsidiary, Community Treatment Solutions, are under investigation following a data breach that compromised the personal information of 41,826 patients. The breach occurred between October 6 and October 11, 2024, but the organization only became aware of the incident on July 18, 2025, nine months later. The New Jersey Cybersecurity and Communications Integration Cell confirmed it was formally notified of the breach, and public notices were issued beginning August 20.
Legacy Treatment Services operates nine behavioral health locations across New Jersey. The compromised data includes a wide range of sensitive information: Social Security numbers, medical diagnoses, clinical treatment records, credit card and banking details, health insurance information, and personal identifiers such as names, birthdates, driver’s license numbers, and email addresses.
The breach is being reviewed by external cybersecurity professionals, and a forensic investigation is ongoing. The company took some systems offline to mitigate the threat once it became aware of the issue. However, the organization has not publicly disclosed whether it has implemented additional cybersecurity investments or employee training since the breach.
Only two affected individuals are based in Maine, according to the report filed with that state’s Attorney General. Legal investigations are underway, including a potential class action lawsuit being explored by Edelson Lechtzin LLP.
In its public notice, Legacy stated that it had “no evidence that any personal information has been or will be misused for identity theft as a direct result of this incident.” A letter to affected individuals stated that law enforcement was contacted and that the organization worked with cybersecurity experts throughout its investigation.
The organization has not responded to media inquiries about additional steps it may take moving forward.
Legacy Treatment Services offers behavioral health programs, including mental health, substance use treatment, and outpatient services, primarily in New Jersey.
Cybersecurity investigations often involve delayed detection due to complex infrastructure, limited monitoring tools, or stealthy intrusion techniques. The specifics of Legacy’s detection delay have not been disclosed.
Patients should monitor their credit reports, consider placing fraud alerts or credit freezes, and watch for suspicious activity in financial or healthcare accounts.
A class action investigation evaluates whether legal grounds exist to file a lawsuit on behalf of all affected individuals. Patients may be eligible to join if a case is filed, usually by registering through the investigating law firm.
If the U.S. Department of Health and Human Services determines that HIPAA safeguards were inadequate or violated, Legacy could face financial penalties or enforcement actions.