Strauss Borrelli PLLC, a leading data breach law firm, is investigating Legacy Treatment Services, Inc. (“Legacy”) regarding its recent data breach. The Legacy data breach involved sensitive personal information belonging to an undetermined number of individuals.
ABOUT LEGACY TREATMENT SERVICES, INC.:
Legacy is a nonprofit behavioral health organization based in New Jersey. Founded in 2014, Legacy offers a broad range of services, including treatment for ADHD, anxiety and depression, developmental and intellectual disabilities, crisis intervention, education services, out-of-home care for children and youth, outpatient addiction treatment, prevention services, residential services for adults, and telehealth services.2 Headquartered in Hainesport, New Jersey, Legacy has nine additional locations in New Jersey and employs over 500 individuals.
WHAT HAPPENED?
Recently, Legacy announced that the sensitive personal identifiable information and protected health information in its care may have been compromised. According to the breach notice, Legacy recently detected an intrusion to its network.1 As a result, Legacy launched an investigation to determine the nature of the incident.
Through its investigation, on November 13, 2024, Legacy confirmed that sensitive personal information in its systems may have been viewed and obtained by an unauthorized third party between October 6 and October 11, 2024. As a result, Legacy began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. The exact type of personal information potentially exposed has not been made publicly available by Legacy. However, according to state reporting guidelines, “personal information” can include the following types of information:
- Name
- Social Security number
- Driver’s license or state identification card number
- Account number, credit card number, or debit card number in combination with any required security code, access code, or password
- Username, e-mail address, or any other account holder identifying information in combination with any password or security question and answer that would permit access to an online account
Additionally, according to the breach notice, the information potentially acquired includes Protected Health Information as defined by the Health Insurance Portability and Accountability Act (HIPAA), which includes:
- An individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual
On December 27, 2024, Legacy posted a notice of the incident on its website. Based on the website breach notice, Legacy is providing affected individuals with a list of the specific types of sensitive information impacted. A link to the form breach notification that Legacy posted to its website is below.
If you received a breach notification letter from Legacy Treatment Services, Inc.:
We would like to speak with you about your rights and potential legal remedies in response to this data breach. Please fill out the form, below, or contact us at 872.263.1100 or sam@straussborrelli.com.
