Legacy Treatment Services in New Jersey over the weekend confirmed it notified 41,826 people of an October 2024 data breach that compromised the following info:
- Names
- Social Security numbers
- Dates of birth
- Driver’s license numbers
- State-issued ID numbers
- Phone numbers
- Email addresses
- Passport numbers
- Financial account numbers
- Routing numbers
- Bank names
- Credit and debit card numbers, CVVs, and expiration dates
- PIN codes
- Login info
- Clinical info
- Medical treatments
- Treatment locations
- Treatment costs
- Doctors’ names
- Medical record numbers
- Patient account numbers
- Health insurance info
- Prescription info
- Biometric data
Ransomware group Interlock took credit for the attack shortly after the breach occurred. To prove its claim, Interlock posted sample images of what it says are documents stolen from Legacy Treatment Services. The group says it stole 170 GB of data including “internal documents, patient records, and a large SQL database.”
Legacy Treatment Services has not verified Interlock’s claim. We do not know if Legacy paid a ransom, how much Interlock demanded, or how attackers breached Legacy’s network. Comparitech contacted Legacy Treatment Services for comment and will update this article if it replies.
“As a result, those served by both Legacy and CTS may have had their
personal information impacted,” Legacy says in its notice to victims. “After an extensive forensic investigation and comprehensive document
review, on July 18, 2025 we determined your personal data may have been subject to unauthorized access and acquisition between October 6, 2024 and October 11, 2024,”
Legacy is offering eligible victims free identity theft protection through IDX. The deadline to enroll is November 20, 2025.
Who is Interlock?
Interlock is a ransomware gang that first started claiming attacks on its leak site in October 2024. The group extorts targets both to unlock infected computer systems and to not sell or release stolen data.
Interlock has taken credit for 27 confirmed ransomware attacks since it began, plus 32 unconfirmed claims that haven’t been publicly acknowledged by the targeted organizations.
Seven of those confirmed attacks hit healthcare companies including DaVita, which last week notified nearly 2.7 million people of a data breach. The city of St. Paul, MN; Box Elder County, UT; and Christian Brothers Academy also reported breaches claimed by Interlock in recent months.
Ransomware attacks on US healthcare
Comparitech researchers logged 173 confirmed ransomware attacks against US healthcare companies in 2024, compromising more than 28.4 million records throughout the year.
In addition to Legacy, two other healthcare providers also began notifying people of 2024 breaches last week. Aspire Rural Health System notified 138,386 people of a November 2024 breach claimed by BianLian. Washington Gastroenterology notified patients of an October 2024 data breach claimed by Inc.
In 2025 to date, we recorded 55 confirmed ransomware attacks on US healthcare companies, compromising 5.2 million records. Another 119 such attack claims have yet to be confirmed.
About Legacy Treatment Services
Based in Hainesport, New Jersey, Legacy Treatment Services is a nonprofit behavioral health and social services organization. It provides behavioral health, mental health, developmental, and addiction services at 10 locations throughout the state. Legacy served 20,000 patients in 2023, according to an annual report posted on its website.
