Northwestern Community Services Board Data Breach 2025: 21,856 Shenandoah Valley Behavioral Health, IDD & SUD Patients Exposed in BlackSuit Ransomware Attack. What To Do
Northwestern Community Services Board (Front Royal, VA), the public community services board for Clarke, Frederick, Page, Shenandoah and Warren counties and the City of Winchester, disclosed a July 18 – August 8, 2024 BlackSuit ransomware intrusion affecting 21,856 patients and employees. BlackSuit claimed responsibility on its dark-web leak site on August 24, 2024 (approximately 34 GB exfiltrated). NWCSB completed its forensic analysis on May 12, 2025, filed with HHS OCR on May 29, 2025, and mailed individual notifications beginning July 7, 2025. Exposed data includes names, Social Security numbers, dates of birth, diagnoses, medications, and treatment information. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 18, 2024
Earliest date of unauthorized access to NWCSB's network, per the entity's notice
Aug 8, 2024
NWCSB detects unauthorized activity on its network, secures systems, and engages third-party cybersecurity specialists
Aug 24, 2024
BlackSuit ransomware gang publicly claims the attack on its dark-web leak site (approximately 34 GB exfiltrated)
Oct 7, 2024
NWCSB posts an initial Notification of Data Security Incident to nwcsb.com
May 12, 2025
Forensic data review completed; NWCSB identifies the specific data elements and individuals affected
May 29, 2025
NWCSB files HIPAA breach notification with HHS Office for Civil Rights (21,856 individuals; Hacking/IT Incident; Network Server)
Jul 7, 2025
NWCSB updates its public notice, mails individual notification letters, and files with state attorneys general (Massachusetts, Maine, and others)
Jul 18, 2024
Earliest date of unauthorized access to NWCSB's network, per the entity's notice
Aug 8, 2024
NWCSB detects unauthorized activity on its network, secures systems, and engages third-party cybersecurity specialists
Aug 24, 2024
BlackSuit ransomware gang publicly claims the attack on its dark-web leak site (approximately 34 GB exfiltrated)
Oct 7, 2024
NWCSB posts an initial Notification of Data Security Incident to nwcsb.com
May 12, 2025
Forensic data review completed; NWCSB identifies the specific data elements and individuals affected
May 29, 2025
NWCSB files HIPAA breach notification with HHS Office for Civil Rights (21,856 individuals; Hacking/IT Incident; Network Server)
Jul 7, 2025
NWCSB updates its public notice, mails individual notification letters, and files with state attorneys general (Massachusetts, Maine, and others)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Northwestern Community Services Board, the public community services board that has served Virginia’s Shenandoah Valley since 1969 from its administrative offices in Front Royal, has confirmed a BlackSuit ransomware intrusion between July 18 and August 8, 2024 that exposed sensitive records for 21,856 patients and employees. NWCSB provides behavioral and mental health care, intellectual and developmental disability supports, and substance use disorder treatment to residents of Clarke, Frederick, Page, Shenandoah, and Warren counties and the City of Winchester. As with every Virginia CSB breach, the population, not just the headcount, is the story.
Timeline
- July 18, 2024 — earliest date of unauthorized access to NWCSB’s network, per the entity’s own Notification of Data Security Incident.
- August 8, 2024 — NWCSB discovers the unauthorized activity, secures its systems, and engages third-party cybersecurity specialists.
- August 24, 2024 — the BlackSuit ransomware gang publicly claims responsibility on its dark-web leak site, asserting that roughly 34 GB across 36,045 files and 9,110 directories was exfiltrated from a path it identifies as
Y:\jerseynwcsb\DATA\Shares. NWCSB has not publicly verified the gang’s specific claims. - October 7, 2024 — NWCSB posts an initial Notification of Data Security Incident on nwcsb.com.
- May 12, 2025 — forensic data review completes; NWCSB identifies the specific data elements and the individuals whose information was involved.
- May 29, 2025 — NWCSB files its HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights: 21,856 affected, Hacking/IT Incident, Network Server.
- July 7, 2025 — NWCSB updates its public notice, mails individual notification letters, and files with state attorneys general (Massachusetts reports 6 affected residents; Maine reports 7).
What was exposed
Per NWCSB’s Notification of Data Security Incident and trade-press reporting drawing on the entity’s state-AG filings, the data set obtained from NWCSB’s systems included, depending on the individual:
- Full name, address, and date of birth
- Social Security number and government-issued ID number
- Medical record number, doctor’s name or practice type, dates of service
- Diagnosis, treatment, and medication information
- Health insurance information and medical claims / billing information
- Financial information
NWCSB has stated that complimentary credit monitoring and identity protection services are being made available through the dedicated assistance line (1-855-577-9041, Monday–Friday, 8am–8pm Eastern). The specific monitoring vendor and term length are not named in the public notice reviewed.
Sensitive-population considerations (BH + SUD — 42 CFR Part 2 applies)
NWCSB is a Virginia community services board. Its service lines explicitly include mental health, substance use, and intellectual and developmental disability programs. For the SUD population, treatment records are covered by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure requirements than HIPAA alone, and HHS OCR began enforcing a unified HIPAA / Part 2 rule effective February 16, 2026. That means unauthorized exfiltration of SUD treatment records — and the kind of dark-web posting BlackSuit appears to have carried out here — is now squarely within OCR’s enforcement lane.
NWCSB’s public notice does not invoke Part 2 by name. It also does not separately enumerate behavioral-health or SUD diagnoses inside the affected data set, describing the exposure generically as “diagnosis and treatment information” and “medication information.” For patients who received care through NWCSB’s SUD or behavioral-health programs, that language almost certainly covers the most sensitive parts of their record.
Credit-monitoring / identity-protection offering
The entity’s notice states that complimentary credit monitoring and identity protection services are available to affected individuals through the dedicated assistance line (1-855-577-9041) or by mail at 209 West Criser Road, Suite #300, Front Royal, VA 22630. The notice reviewed does not name the monitoring vendor or specify the enrollment period; affected individuals should look for that detail in their individual notification letter.
Class-action posture
ClassAction.org publicly opened and then closed an investigation into the NWCSB incident; no formal complaint in the U.S. District Court for the Western District of Virginia was indexed in the open sources reviewed as of this update. BlackSuit’s posting of an exfiltration claim on its leak site — the kind of public evidence that typically draws plaintiff-firm interest — is documented in trade press (HIPAA Journal, Halcyon). This page will be updated if filings appear.
What to do
- Read the letter. If you or a family member received services from NWCSB between July 18 and August 8, 2024, watch for a notification letter mailed on or around July 7, 2025. It contains the specific data elements that applied to you and your enrollment code for the offered identity protection. If you believe you were affected but did not receive a letter, call NWCSB’s dedicated assistance line at 1-855-577-9041 (Monday–Friday, 8am–8pm Eastern) or write to 209 West Criser Road, Suite #300, Front Royal, VA 22630.
- Enroll in the offered monitoring. Full SSN is in scope; do not leave the monitoring on the table.
- Place free credit freezes at Equifax, Experian, and TransUnion. About ten minutes per bureau, and the single highest-leverage step against new-account identity theft.
- File IRS Form 14039 if you see signs of tax-refund fraud or receive an unexpected IRS notice. SSNs exposed alongside dates of birth are the exact ingredients for fraudulent tax filings.
- If your SUD or behavioral-health record was in the exfiltrated set, document any unauthorized re-disclosure you encounter. Under 42 CFR Part 2, you have stronger remedies for re-disclosure of SUD records than HIPAA alone provides.
- Stop the ongoing flow of your most sensitive treatment data. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests so behavioral-health and SUD records exposed in incidents like this are not continuously re-shared downstream.
Sources
- Northwestern Community Services Board — Notification of Data Security Incident (updated July 7, 2025) — the entity’s own public notice; access window, data categories, and assistance-line contact.
- HIPAA Journal — Data Breaches Announced by Shelby Dermatology & Northwestern Community Services Board — confirms the 21,856 headcount, the data fields involved, and BlackSuit attribution.
- Halcyon — BlackSuit Ransomware Hits Virginia’s Northwestern Community Services Board — BlackSuit leak-site claim, exfiltration size (approximately 34 GB), file and directory counts, and source path.
- ClassAction.org — Northwestern Community Services Board Data Breach Investigation — plaintiff-firm investigation status (closed; no complaint filed in sources reviewed).
- ClaimDepot — Northwestern Community Services Board Data Breach Affects 21,856 Individuals — confirms state attorney general filings (Massachusetts, Maine) and consumer-notification date.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Northwestern Community Services Board — Notification of Data Security Incident (updated 2025-07-07)
- HIPAA Journal — Data Breaches Announced by Shelby Dermatology & Northwestern Community Services Board
- Halcyon — BlackSuit Ransomware Hits Virginia's Northwestern Community Services Board
- ClassAction.org — Northwestern Community Services Board Data Breach Investigation
- ClaimDepot — Northwestern Community Services Board Data Breach Affects 21,856 Individuals
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.