NADAP Data Breach Exposes Over 400,000 Records

National Association on Drug Abuse Programs, (NADAP) Inc., recently experienced a data breach that has affected a large number of individuals served by the organization.

The breach was discovered on Jan. 10, 2026, and has since been linked to the GENESIS ransomware group.

According to information posted by the attackers on a dark web forum on March 7, 2026, the group claims to have compromised an extensive array of sensitive data belonging to the nonprofit.

The stolen data reportedly includes medical databases such as electronic health records (EHR) and behavioral health records protected under HIPAA and 42 CFR Part 2, as well as personal data databases containing over 400,000 SQL records with personally identifiable information (PII).

NADAP has posted a notice to consumers about the data breach on their website detailing the event.

The information confirmed to be exposed include PII such as names, Social Security numbers, dates of birth, and tax or financial information. In addition, protected health information (PHI) such as medical or health details, health care treatment or diagnostic information, and health insurance information was also compromised.

NADAP's response

Given the nature and scope of the data accessed, individuals who have interacted with NADAP should be especially vigilant for any signs of identity theft or fraud. It is important for affected persons to monitor their financial accounts, review health insurance statements for unauthorized activity, and consider placing a fraud alert or credit freeze with the major credit bureaus.

Because both PII and PHI were involved, individuals should also be aware of the potential for medical identity theft. NADAP’s official breach notice provides instructions and resources for those impacted.

Affected individuals are encouraged to follow the guidance provided and to reach out to NADAP or the appropriate authorities if they notice any suspicious activity related to their personal or health information.