Legacy Treatment Services Data Breach Affects 41,826 People

Published

April 14, 2025

Updated

September 2, 2025

Legacy Treatment Services

Types of INFORMATION affected

Names
Social Security Numbers
Dates of Birth
Addresses
Government IDs
Medical Info
Financial Info

Legacy Treatment Services, Inc. ("Legacy") and Community Treatment Solutions ("CTS") experienced a data breach involving unauthorized access to their network. According to the company's official disclosure, a cybercriminal infiltrated Legacy's network and accessed sensitive personal information (PII) and protected health information (PHI).

On November 13, 2024, the investigation confirmed that both personal and protected information were accessed and acquired by the unauthorized actor between October 6 and October 11, 2024. At least 41,826 individuals were impacted by the cybersecurity incident.

The INTERLOCK ransomware group, who claimed responsibility for the cyberattack, stated on the dark web that they obtained approximately 170 GB of data. This stolen data reportedly includes internal documents, patient records, and a large SQL database.

Exposed information includes names, contact information, dates of birth, Social Security numbers, driver's license or state ID numbers, bank names, financial account numbers, routing numbers, credit or debit card numbers, card CVV expiration dates, PIN codes, login information, medical diagnosis, clinical information, medical treatments, procedure information, procedure types, treatment cost information, doctor names, medical record numbers, patient account number, health insurance information, prescription information and biometric data.

Legacy began notifying impacted individuals by mail on Aug. 20, 2025. The company disclosed the data breach to the Maine, Vermont, New Hampshire and Massachusetts Attorney Generals' offices beginning on Aug. 22, 2025.

Legacy Treatment Services' Response

Legacy Treatment Services has provided a detailed notice of the data security incident on their official website, outlining the breach and offering guidance for potentially impacted individuals. The company also set up a dedicated and confidential toll-free response line at 1-877-733-9775, available from 9:00 am to 9:00 pm ET, Monday through Friday.

If you receive a notice from Legacy Treatment Services or Community Treatment services about this breach, you may want to:

Sign up for the free IDX identity theft protection services, offered by Legacy.
Monitor your credit reports and financial accounts for any unusual activity.
Be alert for phishing emails or phone calls that may use your exposed information.
Consider placing a fraud alert or credit freeze with major credit bureaus.

For more information, visit their official website at legacytreatment.org.

Protect Your Data

A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.

This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.