A ransomware group called Genesis over the weekend took credit for a January 2026 cyber attack on the National Association on Drug Abuse Programs.
NADAP posted a data breach notice on its website on February 13, 2026. The notice says an unauthorized actor breached it systems on January 10, and that NADAP detected the breach on January 27.
The breached data includes:
- Names
- Social Security numbers
- Dates of birth
- Medical and health info
- Treatments
- Diagnoses
- Health insurance info
- Tax info
- Financial info
On March 6, 2026, Genesis claimed responsibility for the breach. On its data leak website, Genesis said it stole 2 TB of data from NADAP, including medical info and HR files. The cybercriminal group gave a lengthy justification for attacking the charitable non-profit organization, which helps New Yorkers find healthcare and employment.
NADAP has not acknowledged Genesis’ claim and Comparitech cannot independently verify it. We do not know if NADAP paid a ransom, how much Genesis demanded, how many people were compromised, or how attackers breached NADAP’s network. Comparitech contacted NADAP for comment and will update this article if it replies.
“National Association on Drug Abuse Programs, Inc. (NADAP) determined on January 27, 2026 that a recent data security incident may have impacted the protected health information and/or protected personal information belonging to certain clients employees and related individuals,” says NADAP’s February 13 notice (PDF) to breach victims.
“On or about January 10, 2026, we identified suspicious activity within our network, and promptly took steps to secure the environment and launched an investigation.”
The notice does not mention any offer of free credit monitoring or identity theft protection for breach victims.
Who is Genesis?
Genesis is a newer ransomware group that started claiming responsibility for attacks on organizations in October 2025. Its malware both steals data and locks down computer systems. Genesis then demands payment to destroy stolen data and restore infected systems.
The group has claimed responsibility for for 49 ransomware attacks in total, seven of which were confirmed by the targeted organizations.
In addition to NADAP, Genesis this past weekend also took credit for a breaching the local government of Hart, Michigan.
In another recently confirmed attack, Community Health Action of Staten Island has started notifying victims of an October 2025 breach claimed by Genesis.
Ransomware attacks in the USA
Comparitech researchers have logged 27 confirmed ransomware attacks in 2026 to date. In 2025, we logged 662 for the whole year.
In another attack on a US non-profit, the Children’s Council of San Francisco last week confirmed it notified 12,000 people of an August 2025 data breach claimed by the SafePay ransomware group.
Ransomware attacks can both lock down computer systems and steal data. The attackers then demand a ransom to restore infected systems and delete stolen data. Organizations that refuse to pay can face permanent data loss, extended downtime, and putting data subjects at increased risk of fraud.
About the National Association on Drug Abuse Programs
NADAP is a non-profit organization that provides healthcare and employment services to underserved communities in New York. It has conducted more than 800,000 assessments for substance abuse disorders, and referred 500,000 people to treatment providers since 1997. Annually, NADAP helps more than 35,000 New Yorkers sign up for healthcare, find work, and access community resources. Last year, it completed 18,500 career assessments and helped 650 people find jobs, according to its website.
