The National Association on Drug Abuse Programs, Inc. (NADAP) recently reported a data breach that may have exposed sensitive personal and health information belonging to clients, employees, and related individuals. The organization discovered suspicious activity in its network and launched an investigation into unauthorized access to certain files.
NADAP’s Data Breach Investigation
The National Association on Drug Abuse Programs, Inc. (NADAP), a New York–based nonprofit organization focused on behavioral health and substance use treatment programs, recently disclosed a cybersecurity incident that may have exposed protected personal and health information.
On or about January 10, 2026, NADAP detected suspicious activity within its network environment. After identifying the unusual activity, the organization immediately initiated its incident response procedures and began taking steps to secure its systems. NADAP also engaged third-party cybersecurity specialists to conduct a comprehensive investigation into the nature and scope of the incident.
Through this investigation, cybersecurity experts determined that an unknown actor gained unauthorized access to the organization’s network. During the intrusion, the attacker accessed files stored within NADAP’s systems. Some of those files contained sensitive information related to clients, employees, and other associated individuals.
On January 27, 2026, NADAP confirmed that the incident may have impacted protected health information (PHI) and protected personal information. The organization then began the process of identifying which individuals may have been affected and what specific information may have been involved. According to NADAP, this review process remains ongoing.
Because the compromised files contained a variety of records, the types of information involved may differ depending on the individual. However, the investigation indicates that the exposed information may include both personal identifiers and medical-related information.
The potential exposure of protected health information raises additional concerns because healthcare data can be particularly valuable to cybercriminals. Information related to medical care, health insurance, and personal identifiers can be used for identity theft, insurance fraud, or other forms of exploitation.
In response to the breach, NADAP has taken steps to strengthen its network security and reduce the risk of similar incidents in the future. The organization reported the incident to several government authorities and regulatory agencies, including:
-
The U.S. Department of Health and Human Services (HHS)
-
The New York Department of State
-
The New York State Division of State Police
-
The New York State Office of the Attorney General
-
The Federal Bureau of Investigation (FBI)
NADAP has indicated that it will cooperate fully with any resulting investigations to help identify and hold those responsible accountable.
To assist individuals who may have been affected, NADAP has established a dedicated toll-free call center where people can ask questions about the incident and receive guidance on protecting their personal information. Call center representatives are available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time.
Although the organization has not publicly reported confirmed cases of identity theft connected to the breach, individuals whose personal or medical information was exposed may face ongoing risks.
When Did This Breach Occur?
The unauthorized access was identified on or about January 10, 2026, when NADAP detected suspicious activity within its network.
The organization later determined on January 27, 2026 that the incident may have impacted protected health information and personal data.
What Information Was Breached?
The information potentially exposed in the NADAP data breach may vary by individual but could include:
-
Full Name
-
Social Security Number
-
Date of Birth
-
Medical or Health Information
-
Health Care Treatment or Diagnostic Information
-
Health Insurance Information
-
Tax Information
-
Financial Information
What You Can Do
If you believe your personal information may have been affected by the NADAP data breach, there are several steps you can take to help protect yourself from potential identity theft or fraud.
First, carefully monitor your financial accounts and healthcare statements for any unusual or unauthorized activity. If you notice unfamiliar transactions or accounts, contact your financial institution immediately.
You should also review your credit reports regularly. Under U.S. law, consumers are entitled to receive a free credit report from each of the three major credit reporting agencies—Equifax, Experian, and TransUnion—once every 12 months. You can obtain your reports by visiting AnnualCreditReport.com or by calling 1-877-322-8228.
If you suspect identity theft, report the incident to law enforcement and consider placing a fraud alert or credit freeze on your credit file. These measures can help prevent unauthorized accounts from being opened in your name.
Remaining vigilant and checking your accounts regularly can help reduce the risk of financial or identity-related harm following a data breach.
If you received notice that your information was involved in this incident, you may also want to explore your legal options.
File a Data Breach Lawsuit Against NADAP
If you received a notice stating that your personal or protected health information was exposed in the NADAP data breach, you may be eligible to pursue compensation.
Organizations that collect and store sensitive information—especially protected health information—have a legal responsibility to safeguard that data from unauthorized access. When companies fail to properly protect personal information, individuals may face serious risks including identity theft, financial fraud, and privacy violations.
Class action lawsuits allow individuals affected by data breaches to hold organizations accountable when security failures occur. In some cases, victims may be able to recover compensation for damages, identity protection costs, lost time addressing fraud concerns, and other related losses.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
