Allegany Council on Alcoholism & Substance Abuse, Inc. Data Breach 2025: 696 Affected · Email Hacking/IT Incident · Wellsville, NY · 42 CFR Part 2 SUD Provider
Allegany Council on Alcoholism & Substance Abuse, Inc. (ACASA), an OASAS-certified substance use disorder treatment provider in Wellsville, NY, filed a HIPAA breach report with HHS OCR on April 2, 2025 disclosing a Hacking/IT Incident affecting an email account and 696 individuals. ACASA later issued a Notice of Data Incident with a dedicated call line. Because ACASA is a federally assisted SUD program, the exposed records are also protected by 42 CFR Part 2.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 2, 2025
ACASA submits a HIPAA breach report to HHS OCR disclosing a Hacking/IT Incident affecting an email account and 696 individuals
Jul 28, 2025
ACASA publishes a Notice of Data Incident on its website with a dedicated toll-free assistance line (877-293-4321) and state-specific guidance for affected residents
Apr 2, 2025
ACASA submits a HIPAA breach report to HHS OCR disclosing a Hacking/IT Incident affecting an email account and 696 individuals
Jul 28, 2025
ACASA publishes a Notice of Data Incident on its website with a dedicated toll-free assistance line (877-293-4321) and state-specific guidance for affected residents
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Allegany Council on Alcoholism & Substance Abuse, Inc. (ACASA), an Office of Addiction Services and Supports (OASAS) certified substance use disorder treatment provider headquartered in Wellsville, New York, filed a HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on April 2, 2025. The OCR portal entry classifies the incident as a Hacking/IT Incident at an Email location and lists 696 affected individuals. ACASA subsequently issued a Notice of Data Incident on its website and stood up a dedicated toll-free assistance line for affected individuals. Because ACASA operates federally assisted substance use disorder treatment programs, the records implicated by this incident are protected not only by HIPAA but by the heightened federal confidentiality standard at 42 CFR Part 2.
Timeline of what we know
- April 2, 2025. ACASA files a HIPAA breach report with HHS OCR. The portal entry records 696 affected individuals, a Hacking/IT Incident at an Email account, and identifies ACASA as a Healthcare Provider in New York.
- July 28, 2025. ACASA publishes a Notice of Data Incident on its public website. The notice directs affected individuals to a dedicated toll-free line at 877-293-4321, available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern, and includes state-by-state guidance on consumer protections including fraud alerts and security freezes. (The hosted notice is no longer reachable at its original URL on the ACASA site as of this update.)
- Ongoing. The HHS OCR breach investigation under the federal Breach Notification Rule remains open on the OCR portal. No public OCR enforcement action, attorney general resolution, or class-action filing has been reported as of this update.
What was exposed
ACASA has not publicly itemized the specific data elements implicated in the incident. The OCR portal entry classifies the breach location as Email, indicating that the unauthorized access involved one or more ACASA email mailboxes rather than a network server, electronic medical record, or other system. Email mailboxes at a behavioral health provider commonly contain attachments, correspondence with patients, intake and referral materials, billing and insurance information, and care-coordination messages. Until ACASA’s individual notification letter or a state attorney general filing publishes a definitive data-element list, this page treats the exposed dataset as undisclosed but presumed to include some combination of identifying, demographic, insurance, and clinical information necessary to trigger federal breach notification.
Why this exposure is especially sensitive: 42 CFR Part 2
ACASA is a federally assisted substance use disorder treatment program certified by the New York State Office of Addiction Services and Supports. That status means patient identifying information drawn from ACASA’s treatment records is protected by 42 CFR Part 2, which is significantly stricter than HIPAA. Part 2 generally prohibits the use or disclosure of patient identifying information for criminal proceedings, custody disputes, employment decisions, or immigration proceedings without specific written consent or a Part 2 court order. The unauthorized disclosure of Part 2 records can carry independent civil and, in some circumstances, criminal penalties separate from HIPAA.
Exposure of SUD treatment records also carries real-world harms that pure financial-fraud exposures do not. These include discrimination in employment, housing, child custody, and insurance underwriting; stigma in family and community relationships; and chilling effects on patients’ willingness to seek future treatment. Affected individuals should weigh the generic credit-monitoring steps below against the longer-tail privacy harms of their behavioral health and SUD information being in unknown hands. HHS OCR was empowered in 2025 to administer and enforce Part 2 directly, and the OCR portal now includes Part 2 breach reporting alongside HIPAA reporting.
What ACASA is offering
Per ACASA’s Notice of Data Incident, the organization stood up a dedicated toll-free assistance line for affected individuals at 877-293-4321, available Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern. The notice included state-specific consumer protection guidance directing affected residents to their state attorney general, FTC identity theft resources, and the three nationwide consumer reporting agencies for fraud alerts and security freezes. ACASA has not publicly confirmed whether complimentary credit-monitoring or identity-protection services are being offered to all affected individuals; recipients of the individual notification letter should review their letter for any enrollment instructions and the deadline to enroll.
Class-action and regulatory posture
No class-action complaint against ACASA arising from this incident has been publicly reported as of this update. The HHS OCR breach investigation under the federal Breach Notification Rule remains open. Given the relatively small affected count (696 individuals), the matter may resolve at the OCR level without litigation. Plaintiffs’ firms regularly monitor SUD-provider breaches because Part 2 records carry independent privacy claims under state common law, the Washington and California consumer protection statutes, and analogous New York causes of action, but no firm has publicly announced an investigation.
What to do if you may be affected
Behavioral health and SUD records are among the most sensitive categories of PHI. Treat any ACASA breach notification letter as a high-severity exposure even though the OCR portal does not yet itemize the specific data elements.
- Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. This is the single highest-leverage step against identity theft if Social Security numbers or financial account numbers turn out to have been in the affected mailboxes.
- Call the ACASA assistance line at 877-293-4321 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern, to confirm whether your information was implicated and to ask whether ACASA is offering complimentary credit monitoring or identity-protection services. Ask for the specific data elements present in your record.
- Watch for a notification letter at the address on file with ACASA. Notification letters typically follow the OCR filing by several weeks to a few months. Read the letter carefully. It will list the specific data elements exposed and any complimentary services offered.
- Request copies of your Explanation of Benefits from your health insurer and review them for services you did not receive. Medical identity theft can take months to surface. Report any discrepancies to your insurer and to HHS OCR.
- Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. It is free and prevents fraudulent federal returns under your Social Security number.
- Be skeptical of unsolicited outreach. Threat actors often follow large breaches with targeted phishing using leaked identifiers. ACASA will not ask for your full Social Security number, banking details, or treatment history by phone to “verify” your account.
- Know your 42 CFR Part 2 rights. If you are a current or former ACASA patient, your treatment records are subject to Part 2 protections. If an employer, court, custody proceeding, or immigration officer references information that could only have come from your SUD treatment record, document it and consult a New York healthcare-privacy attorney about a Part 2 enforcement action.
Sources
- HHS Office for Civil Rights Breach Portal: the federal regulatory record of this breach, listing 696 affected individuals at an Email location (Hacking/IT Incident, filed April 2, 2025).
- Allegany Council on Alcoholism and Substance Abuse, Inc. (ACASA) — official site: confirms ACASA’s identity as the entity reporting the breach, its Wellsville, NY location, and its OASAS-certified substance use disorder treatment programs.
- NYS Office of Addiction Services and Supports (OASAS) — In-Community Clinic Services: confirms ACASA’s status as a federally assisted SUD program subject to 42 CFR Part 2.
- HHS OCR — 42 CFR Part 2 Breach Portal Required Information: the federal Part 2 breach reporting framework that applies to ACASA’s patient identifying information.
- New York State Attorney General — Report a Data Breach: the NY AG’s breach reporting and consumer guidance resource for New York residents affected by HIPAA breaches.
- HIPAA Journal — April 2025 Healthcare Data Breach Report: industry context on the April 2025 healthcare breach landscape in which ACASA filed.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Allegany Council on Alcoholism and Substance Abuse, Inc. (ACASA) — official site
- NYS Office of Addiction Services and Supports (OASAS) — In-Community Clinic Services
- HHS OCR — 42 CFR Part 2 Breach Portal Required Information
- New York State Attorney General — Report a Data Breach
- HIPAA Journal — April 2025 Healthcare Data Breach Report
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.