Active breach tracker NY Disclosed August 8, 2025

Center for Disability Services, Inc. Data Breach 2025: 3,343 Affected · Email Account Compromise · NY IDD Provider

Center for Disability Services, Inc., a long-standing Albany-based provider for New Yorkers with intellectual and developmental disabilities, disclosed on August 8, 2025 that unauthorized access to employee email accounts between June 19 and June 25, 2025 exposed names, demographic, medical and insurance information of 3,343 individuals, with a subset also exposing SSNs, driver's license numbers, and financial account information.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 10, 2025

Breach detected

Aug 8, 2025

Disclosed publicly

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers (limited subset) Driver's license / state ID numbers (limited subset)

03

Contact & insurance

Phishing + targeted scams

Names Demographic information Medical information Health insurance information Financial account information (limited subset)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Center for Disability Services, Inc., an Albany-based not-for-profit that has served New Yorkers with intellectual and developmental disabilities (IDD) for more than 80 years, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 8, 2025, reporting 3,343 affected individuals following unauthorized access to employee email accounts in June 2025. The organization is listed by the New York Office for People With Developmental Disabilities (OPWDD) as a provider supporting people with IDD across upstate New York.

Timeline

  • Unauthorized access (June 19, 2025 – June 25, 2025). Forensic investigation determined that one or more employee email accounts were accessed without authorization during this window.
  • Detected (June 10, 2025). Suspicious activity was identified in an employee email account, prompting the organization to secure the account and launch an investigation. (Detection predates the confirmed access window because initial indicators surfaced before forensics established the precise dates of unauthorized access.)
  • Filed with HHS OCR (August 8, 2025). Reported as a hacking/IT incident involving email under HIPAA’s breach notification rule.
  • Notified affected individuals (on or about August 8, 2025). The entity reported that notification letters were sent to potentially affected individuals following completion of the file review.
  • Class-action investigation (ongoing as of 2026). Shamis & Gentile P.A. is publicly soliciting affected individuals for a potential class-action lawsuit; no consolidated complaint or settlement has been reported as of this page’s last update.

What was exposed

The compromised email accounts contained protected health information including:

  • Names
  • Demographic information
  • Medical information
  • Health insurance information

For a limited subset of the 3,343 affected individuals, the exposed data also included one or more of:

  • Social Security numbers
  • Driver’s license numbers or state identification card numbers
  • Financial account information

Why the affected population matters

Center for Disability Services serves people with intellectual and developmental disabilities and their families. That population is acutely sensitive in a data-breach context for several reasons:

  • Many individuals rely on family members, guardians, or service coordinators to monitor financial accounts and credit, which can delay detection of identity misuse.
  • Medicaid waiver and long-term services billing typically links SSNs, plan IDs, and detailed clinical records, which together command higher prices on identity-theft marketplaces than payment-card data alone.
  • IDD-specific medical information (diagnoses, behavioral support plans, residential placement) carries durable privacy harm that does not expire the way a credit card number does.

What the entity offered

The publicly available reporting does not specify a credit-monitoring or identity-theft-protection product offered to affected individuals. The organization stated it is reviewing its data security policies and procedures to help prevent similar incidents. We will update this page if the individual notification letter, a state attorney general filing, or court documents disclose specific complimentary services.

Class-action posture

Shamis & Gentile P.A. has opened a public investigation and is accepting inquiries from individuals who received notice of the breach. As of the last update to this page, no consolidated class-action complaint, certified class, or settlement has been publicly reported.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft. If you are a guardian or service coordinator for someone with IDD, place a freeze on their credit file as well.
  • Read the notification letter carefully. It will identify which specific data elements were exposed for your record. If your letter lists SSN, driver’s license number, or financial account information, request and use any complimentary monitoring offered and watch tax-refund and Medicaid filings closely.
  • Watch Medicaid and insurance Explanation of Benefits (EOB) statements for services you did not receive. Medical identity theft commonly surfaces in EOBs before it appears on credit reports.
  • Be alert to targeted phishing. Email-account compromises mean attackers may have seen recent correspondence; subsequent phishing emails referencing real prior context are common after this kind of incident.
  • Bookmark this page. We update it as new information becomes publicly available.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.