Center for Disability Services, Inc. Data Breach 2025: 3,343 Affected · Email Account Compromise · NY IDD Provider
Center for Disability Services, Inc., a long-standing Albany-based provider for New Yorkers with intellectual and developmental disabilities, disclosed on August 8, 2025 that unauthorized access to employee email accounts between June 19 and June 25, 2025 exposed names, demographic, medical and insurance information of 3,343 individuals, with a subset also exposing SSNs, driver's license numbers, and financial account information.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 10, 2025
Breach detected
Aug 8, 2025
Disclosed publicly
Jun 10, 2025
Breach detected
Aug 8, 2025
Disclosed publicly
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Center for Disability Services, Inc., an Albany-based not-for-profit that has served New Yorkers with intellectual and developmental disabilities (IDD) for more than 80 years, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 8, 2025, reporting 3,343 affected individuals following unauthorized access to employee email accounts in June 2025. The organization is listed by the New York Office for People With Developmental Disabilities (OPWDD) as a provider supporting people with IDD across upstate New York.
Timeline
- Unauthorized access (June 19, 2025 – June 25, 2025). Forensic investigation determined that one or more employee email accounts were accessed without authorization during this window.
- Detected (June 10, 2025). Suspicious activity was identified in an employee email account, prompting the organization to secure the account and launch an investigation. (Detection predates the confirmed access window because initial indicators surfaced before forensics established the precise dates of unauthorized access.)
- Filed with HHS OCR (August 8, 2025). Reported as a hacking/IT incident involving email under HIPAA’s breach notification rule.
- Notified affected individuals (on or about August 8, 2025). The entity reported that notification letters were sent to potentially affected individuals following completion of the file review.
- Class-action investigation (ongoing as of 2026). Shamis & Gentile P.A. is publicly soliciting affected individuals for a potential class-action lawsuit; no consolidated complaint or settlement has been reported as of this page’s last update.
What was exposed
The compromised email accounts contained protected health information including:
- Names
- Demographic information
- Medical information
- Health insurance information
For a limited subset of the 3,343 affected individuals, the exposed data also included one or more of:
- Social Security numbers
- Driver’s license numbers or state identification card numbers
- Financial account information
Why the affected population matters
Center for Disability Services serves people with intellectual and developmental disabilities and their families. That population is acutely sensitive in a data-breach context for several reasons:
- Many individuals rely on family members, guardians, or service coordinators to monitor financial accounts and credit, which can delay detection of identity misuse.
- Medicaid waiver and long-term services billing typically links SSNs, plan IDs, and detailed clinical records, which together command higher prices on identity-theft marketplaces than payment-card data alone.
- IDD-specific medical information (diagnoses, behavioral support plans, residential placement) carries durable privacy harm that does not expire the way a credit card number does.
What the entity offered
The publicly available reporting does not specify a credit-monitoring or identity-theft-protection product offered to affected individuals. The organization stated it is reviewing its data security policies and procedures to help prevent similar incidents. We will update this page if the individual notification letter, a state attorney general filing, or court documents disclose specific complimentary services.
Class-action posture
Shamis & Gentile P.A. has opened a public investigation and is accepting inquiries from individuals who received notice of the breach. As of the last update to this page, no consolidated class-action complaint, certified class, or settlement has been publicly reported.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft. If you are a guardian or service coordinator for someone with IDD, place a freeze on their credit file as well.
- Read the notification letter carefully. It will identify which specific data elements were exposed for your record. If your letter lists SSN, driver’s license number, or financial account information, request and use any complimentary monitoring offered and watch tax-refund and Medicaid filings closely.
- Watch Medicaid and insurance Explanation of Benefits (EOB) statements for services you did not receive. Medical identity theft commonly surfaces in EOBs before it appears on credit reports.
- Be alert to targeted phishing. Email-account compromises mean attackers may have seen recent correspondence; subsequent phishing emails referencing real prior context are common after this kind of incident.
- Bookmark this page. We update it as new information becomes publicly available.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- HIPAA Journal — Two Disability Service Providers Announce Data Breaches Affecting 8,100 Patients — incident timeline, data elements, and entity statement.
- ClaimDepot — Center for Disability Services Data Breach Lawsuit Investigation — public class-action investigation listing (Shamis & Gentile P.A.).
- Center for Disability Services, Inc. — organization website — entity identity and service description.
- NY OPWDD — Center for Disability Services, Inc. provider listing — state confirmation of IDD provider status.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Two Disability Service Providers Announce Data Breaches Affecting 8,100 Patients
- ClaimDepot — Center for Disability Services Data Breach Lawsuit Investigation (Shamis & Gentile P.A.)
- Center for Disability Services, Inc. — organization website
- NY OPWDD — Center for Disability Services, Inc. provider listing
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.