Active breach tracker Front Royal, Virginia Disclosed May 29, 2025

Northwestern Community Services Board Data Breach 2025: 21,856 Shenandoah Valley Behavioral Health, IDD & SUD Patients Exposed in BlackSuit Ransomware Attack. What To Do

Northwestern Community Services Board (Front Royal, VA), the public community services board for Clarke, Frederick, Page, Shenandoah and Warren counties and the City of Winchester, disclosed a July 18 – August 8, 2024 BlackSuit ransomware intrusion affecting 21,856 patients and employees. BlackSuit claimed responsibility on its dark-web leak site on August 24, 2024 (approximately 34 GB exfiltrated). NWCSB completed its forensic analysis on May 12, 2025, filed with HHS OCR on May 29, 2025, and mailed individual notifications beginning July 7, 2025. Exposed data includes names, Social Security numbers, dates of birth, diagnoses, medications, and treatment information. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 18, 2024

Earliest date of unauthorized access to NWCSB's network, per the entity's notice

Aug 8, 2024

NWCSB detects unauthorized activity on its network, secures systems, and engages third-party cybersecurity specialists

Aug 24, 2024

BlackSuit ransomware gang publicly claims the attack on its dark-web leak site (approximately 34 GB exfiltrated)

Oct 7, 2024

NWCSB posts an initial Notification of Data Security Incident to nwcsb.com

May 12, 2025

Forensic data review completed; NWCSB identifies the specific data elements and individuals affected

May 29, 2025

NWCSB files HIPAA breach notification with HHS Office for Civil Rights (21,856 individuals; Hacking/IT Incident; Network Server)

Jul 7, 2025

NWCSB updates its public notice, mails individual notification letters, and files with state attorneys general (Massachusetts, Maine, and others)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number Medications Diagnosis and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Government-issued ID number Health insurance information Doctor's name / practice type Dates of service Medical claims and billing information Financial information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Northwestern Community Services Board, the public community services board that has served Virginia’s Shenandoah Valley since 1969 from its administrative offices in Front Royal, has confirmed a BlackSuit ransomware intrusion between July 18 and August 8, 2024 that exposed sensitive records for 21,856 patients and employees. NWCSB provides behavioral and mental health care, intellectual and developmental disability supports, and substance use disorder treatment to residents of Clarke, Frederick, Page, Shenandoah, and Warren counties and the City of Winchester. As with every Virginia CSB breach, the population, not just the headcount, is the story.

Timeline

  • July 18, 2024 — earliest date of unauthorized access to NWCSB’s network, per the entity’s own Notification of Data Security Incident.
  • August 8, 2024 — NWCSB discovers the unauthorized activity, secures its systems, and engages third-party cybersecurity specialists.
  • August 24, 2024 — the BlackSuit ransomware gang publicly claims responsibility on its dark-web leak site, asserting that roughly 34 GB across 36,045 files and 9,110 directories was exfiltrated from a path it identifies as Y:\jerseynwcsb\DATA\Shares. NWCSB has not publicly verified the gang’s specific claims.
  • October 7, 2024 — NWCSB posts an initial Notification of Data Security Incident on nwcsb.com.
  • May 12, 2025 — forensic data review completes; NWCSB identifies the specific data elements and the individuals whose information was involved.
  • May 29, 2025 — NWCSB files its HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights: 21,856 affected, Hacking/IT Incident, Network Server.
  • July 7, 2025 — NWCSB updates its public notice, mails individual notification letters, and files with state attorneys general (Massachusetts reports 6 affected residents; Maine reports 7).

What was exposed

Per NWCSB’s Notification of Data Security Incident and trade-press reporting drawing on the entity’s state-AG filings, the data set obtained from NWCSB’s systems included, depending on the individual:

  • Full name, address, and date of birth
  • Social Security number and government-issued ID number
  • Medical record number, doctor’s name or practice type, dates of service
  • Diagnosis, treatment, and medication information
  • Health insurance information and medical claims / billing information
  • Financial information

NWCSB has stated that complimentary credit monitoring and identity protection services are being made available through the dedicated assistance line (1-855-577-9041, Monday–Friday, 8am–8pm Eastern). The specific monitoring vendor and term length are not named in the public notice reviewed.

Sensitive-population considerations (BH + SUD — 42 CFR Part 2 applies)

NWCSB is a Virginia community services board. Its service lines explicitly include mental health, substance use, and intellectual and developmental disability programs. For the SUD population, treatment records are covered by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure requirements than HIPAA alone, and HHS OCR began enforcing a unified HIPAA / Part 2 rule effective February 16, 2026. That means unauthorized exfiltration of SUD treatment records — and the kind of dark-web posting BlackSuit appears to have carried out here — is now squarely within OCR’s enforcement lane.

NWCSB’s public notice does not invoke Part 2 by name. It also does not separately enumerate behavioral-health or SUD diagnoses inside the affected data set, describing the exposure generically as “diagnosis and treatment information” and “medication information.” For patients who received care through NWCSB’s SUD or behavioral-health programs, that language almost certainly covers the most sensitive parts of their record.

Credit-monitoring / identity-protection offering

The entity’s notice states that complimentary credit monitoring and identity protection services are available to affected individuals through the dedicated assistance line (1-855-577-9041) or by mail at 209 West Criser Road, Suite #300, Front Royal, VA 22630. The notice reviewed does not name the monitoring vendor or specify the enrollment period; affected individuals should look for that detail in their individual notification letter.

Class-action posture

ClassAction.org publicly opened and then closed an investigation into the NWCSB incident; no formal complaint in the U.S. District Court for the Western District of Virginia was indexed in the open sources reviewed as of this update. BlackSuit’s posting of an exfiltration claim on its leak site — the kind of public evidence that typically draws plaintiff-firm interest — is documented in trade press (HIPAA Journal, Halcyon). This page will be updated if filings appear.

What to do

  1. Read the letter. If you or a family member received services from NWCSB between July 18 and August 8, 2024, watch for a notification letter mailed on or around July 7, 2025. It contains the specific data elements that applied to you and your enrollment code for the offered identity protection. If you believe you were affected but did not receive a letter, call NWCSB’s dedicated assistance line at 1-855-577-9041 (Monday–Friday, 8am–8pm Eastern) or write to 209 West Criser Road, Suite #300, Front Royal, VA 22630.
  2. Enroll in the offered monitoring. Full SSN is in scope; do not leave the monitoring on the table.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. About ten minutes per bureau, and the single highest-leverage step against new-account identity theft.
  4. File IRS Form 14039 if you see signs of tax-refund fraud or receive an unexpected IRS notice. SSNs exposed alongside dates of birth are the exact ingredients for fraudulent tax filings.
  5. If your SUD or behavioral-health record was in the exfiltrated set, document any unauthorized re-disclosure you encounter. Under 42 CFR Part 2, you have stronger remedies for re-disclosure of SUD records than HIPAA alone provides.
  6. Stop the ongoing flow of your most sensitive treatment data. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests so behavioral-health and SUD records exposed in incidents like this are not continuously re-shared downstream.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.