Community Treatment Solutions Data Breach 2025: 950 Affected · Ransomware (Interlock) · NJ. Filed With HHS OCR. What To Do.
Community Treatment Solutions (NJ) filed a HIPAA breach notification with the HHS Office for Civil Rights on January 16, 2025, reporting 950 affected individuals in a Hacking/IT Incident event at Network Server. The HHS OCR portal entry is the primary public record; further details are not yet publicly disclosed on...
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 6, 2024
other
Oct 11, 2024
detected
Jan 16, 2025
filed
Jan 16, 2025
Disclosed publicly
Jul 18, 2025
other
Aug 22, 2025
notified
Oct 6, 2024
other
Oct 11, 2024
detected
Jan 16, 2025
filed
Jan 16, 2025
Disclosed publicly
Jul 18, 2025
other
Aug 22, 2025
notified
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Community Treatment Solutions (CTS), an affiliate of Legacy Treatment Services headquartered in Hainesport, New Jersey, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 16, 2025, reporting 950 affected individuals in a Hacking/IT Incident at a Network Server. The CTS filing is a smaller, CTS-specific entry tied to a much larger underlying intrusion that hit the Legacy Treatment Services environment between October 6 and October 11, 2024, and ultimately resulted in notifications to 41,826 individuals across the combined Legacy / CTS patient and employee population.
The Interlock ransomware group publicly claimed responsibility shortly after the October 2024 intrusion and posted sample images of what it described as roughly 170 GB of exfiltrated data, including internal documents, patient records, and a large SQL database. Forensic analysts confirmed the scope of data acquisition on July 18, 2025, and the entity began mailing individual notification letters and posted a substitute notice on August 22, 2025.
Timeline
- October 6 to October 11, 2024 — unauthorized access to the Legacy / CTS network.
- October 11, 2024 — intrusion detected when network connectivity was disrupted. Interlock subsequently claimed responsibility.
- January 16, 2025 — CTS filed with HHS OCR (950 affected, Hacking/IT Incident, Network Server).
- July 18, 2025 — forensic confirmation that PHI was accessed and acquired.
- August 22, 2025 — individual notification letters and substitute notice published; complimentary credit monitoring and identity-theft protection (through IDX) offered for those with Social Security numbers exposed.
What was exposed
According to the entity’s own notice, the data elements involved include first and last names along with one or more of: Social Security numbers, dates of birth, driver’s license or state ID numbers, passport numbers, phone numbers, email addresses, financial account numbers, routing numbers, bank names, credit/debit card numbers (including CVV, expiration, PIN), login credentials, medical diagnoses, clinical information, treatment and procedure information, treatment locations, treatment cost information, provider names, medical record numbers, patient account numbers, health insurance information, prescription information, and biometric information.
That set is unusually broad. It pairs the financial-fraud trifecta (SSN + DOB + bank/card details) with deep clinical detail, which materially raises both the identity-theft and the privacy-harm exposure for affected individuals.
Why this one is more sensitive than most
Community Treatment Solutions provides clinically intensive, community-based services to children, youth, and families in South Jersey, including youth presenting with trauma, behavior, and addiction issues, as well as victims of human trafficking served through CTS’s BASE (Better Access for a Safe Environment) program. Its parent organization, Legacy Treatment Services, offers behavioral health, mental health, developmental, and addiction services across roughly ten locations in New Jersey.
That mission profile pulls this incident into the most sensitive corner of HIPAA-regulated data. Records that document mental-health diagnoses, addiction treatment, and services to minors and trafficking survivors carry stigma, custody, employment, immigration, and safety consequences that go well beyond typical financial-fraud exposure. Where the underlying records reflect treatment for substance use disorder, federal 42 CFR Part 2 confidentiality protections apply on top of HIPAA, and unauthorized acquisition of those records is exactly the harm Part 2 was written to prevent. Affected individuals and their guardians should assume that some of the most sensitive categories of their information may now be in the hands of a ransomware operator who has already published sample data.
What’s being offered
Legacy Treatment Services and CTS are offering complimentary credit monitoring and identity-theft protection through IDX to individuals whose Social Security numbers were potentially impacted. A dedicated response line is published in the entity’s notice. As with any post-breach offering, enrollment is time-limited — the entity has previously listed a November 20, 2025 enrollment deadline for the IDX services — and affected individuals should enroll promptly if they were offered coverage.
Class action and litigation status
At least one plaintiff’s firm (Edelson Lechtzin LLP) publicly announced an investigation on behalf of Legacy Treatment Services and Community Treatment Solutions customers in August 2025. ClassAction.org’s preliminary investigation has since closed without a filed complaint surfacing in public dockets at the time of this update. No certified class action has been confirmed against either entity as of this writing.
What to do if you may be affected
- Read your notification letter carefully. It lists the specific data elements exposed for your record, the credit-monitoring offer (if any), and the enrollment code and deadline. Notification letters under this incident began going out August 22, 2025.
- Enroll in the offered IDX credit-monitoring and identity-theft protection if your Social Security number was involved. Do this before the enrollment deadline in your letter.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account fraud — and it stacks on top of any monitoring offered.
- If a minor child received services from CTS, place a child-credit freeze with each bureau as well. Identity theft of minors typically goes undetected for years.
- If you received behavioral health or substance use treatment through CTS or Legacy, be aware that records covered by 42 CFR Part 2 may be implicated. You may have additional rights, including the ability to file a complaint with HHS OCR if you believe your records were improperly disclosed.
- Watch for targeted phishing and impersonation that references your treatment, your provider’s name, or your prescription information. The breadth of clinical detail in this dataset enables unusually convincing social-engineering attempts.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Legacy Treatment Services — Notice of Data Security Incident — the entity’s own substitute notice covering both Legacy and CTS.
- HIPAA Journal — Legacy Treatment Services Data Breach Affects 42,000 Individuals — trade-press summary of the combined Legacy / CTS incident.
- Comparitech — NJ social services org notifies 42K of data breach — independent reporting confirming the Interlock ransomware attribution and 170 GB exfiltration claim.
- ClassAction.org — Legacy Treatment Services investigation — plaintiff-side investigation status.
- Edelson Lechtzin LLP investigation notice — plaintiff-firm public investigation notice naming both entities.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Legacy Treatment Services — Notice of Data Security Incident
- HIPAA Journal — Legacy Treatment Services Data Breach Affects 42,000 Individuals
- Comparitech — NJ social services org notifies 42K of data breach
- ClassAction.org — Legacy Treatment Services investigation
- Edelson Lechtzin LLP investigation notice (via PR Newswire)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.