Northwestern Community Services Board Data Breach Affects 21,856 Individuals

Northwestern Community Services Board (NWCSB), a public provider of behavioral health services in Virginia’s Shenandoah Valley, has experienced a data breach. The incident, discovered on August 8, 2024, affected 21,856 individuals in the United States, exposing both personally identifiable information (PII) and protected health information (PHI).

The breach was the result of a ransomware attack carried out by the group known as BLACK SUIT, which claimed responsibility for the attack on August 24, 2024. The attack was posted on the Tor network, a platform for ransomware groups to publicize their crimes and pressure organizations into paying ransoms.

NWCSB disclosed the breach to the U.S. Department of Health and Human Services on May 29, 2025. The company also posted a Notification of Data Security Incident on its own website.

The data breach was disclosed to the Massachusetts and Maine Attorney Generals' offices beginning on July 7, 2025. Affected individuals include six Massachusetts residents and seven from Maine.

Patient and employee information compromised may include names, medical history and treatment information, health insurance details, and financial information.

Northwestern Community Services Board's response

In response to the breach, Northwestern Community Services Board has taken steps to comply with regulatory requirements and notify affected individuals.

If you received a notification or believe you may be affected by this breach, it is important to:

• Carefully review any notice or communication you receive from Northwestern Community Services Board.
• Review your account statements and explanation of benefits forms for suspicious activity.
• Monitor your credit reports for any unauthorized accounts or changes.
• Consider placing a fraud alert or credit freeze with the major credit bureaus.

For more details about the company and its services, visit the Northwestern Community Services Board website.