The National Association on Drug Abuse Problems (NADAP) recently notified the Department of Health and Human Services of a large data breach
What happened
On February 13th, 2026, New York-based non-profit NADAP notified the HHS of a breach impacting 90,000 individuals. The incident was listed as a network server breach. While the NADAP notified the HHS on February 13th, the notice was not posted by the HHS until recently.
According to NADAP’s breach notice, the organization determined an incident took place on January 27th, 2026. Both employees and patients may have had data accessed. Impacted information included names, Social Security numbers, dates of birth, medical or health information, health care treatment or diagnostic information, health insurance information, and tax or financial information.
In the know
While NADAP has not cited the incident as a ransomware attack, Ransomware Live determined that ransomware group Genesis listed NADAP as one of their victims and claimed to have two terabytes of data. According to Genesis, the group chose to target a non-profit organization for several reasons, including because “it has access to government money that for-profits can’t touch.” Genesis cited Medicaid contracts, New York state grants and emergency funds.
Genesis further stated, “This is not the first time we have worked with non-profit organizations, and we are very selective in our choices.” Genesis said they offered “fair terms,” but NADAP did not engage in negotiations.
Why it matters
Organizations that aid individuals with substance abuse can hold especially valuable data in the healthcare space, as issues related to substance use are often viewed as uniquely private. A study from Front Digit Health noted that cybersecurity is critical for organizations that handle issues related to mental health. The article noted, “Cyber-attacks can potentially trigger or exacerbate issues such as anxiety, insomnia, trauma, paranoia, substance abuse, or even suicidal behaviors and actions.”
The big picture
Protecting records related to substance abuse has been a key issue in recent years. In 2024, the HHS announced modifications to confidentiality rules for patients with substance use disorder (SUD) records. The updates were designed to improve coordination of care while maintaining patient confidentiality. The changes included new rules for disclosing data and the right for patients to know who their data had been disclosed to. According to the Ransomware Research Center, the HHS will soon launch a specific breach reporting site to handle breaches related to SUD.
FAQs
Why does it take so long for the public to be notified of data breaches?
Organizations are supposed to notify the HHS within 60 days of discovery, which NADAP did. However, the HHS did not immediately publish the notice, likely because an investigation was ongoing. Organizations may try to delay notices to the public while they determine who was affected and ensure systems are secured again.
Will NADAP confirm the incident was a ransomware attack?
While organizations occasionally state if they faced a ransomware attack, most never do. Often, any negotiations between organizations and ransomware groups are done behind closed doors and with the assistance of law enforcement. The public rarely receives confirmation of what happened to the data or if a ransom was paid.
Do ransomware groups always leave explanations for their attacks?
No. Many ransomware organizations never state why a particular organization was attacked. However, some malicious groups, like Genesis, claim to have moral and financial motives. From their statement, it seems that Genesis decided to specifically target NADAP.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Abby Grifno
