Sensitive personal and health information belonging to tens of thousands of patients and employees was allegedly exposed after cybercriminals gained access to records maintained by two healthcare providers, according to a recently filed class action complaint. The lawsuit was brought by a former employee who claims that the organizations failed to safeguard private data, resulting in an increased risk of identity theft and financial fraud for those affected.
The complaint was filed by Jennifer Zelenka on April 22, 2026, in the United States District Court for the District of New Jersey against Legacy Treatment Services and Community Treatment Solutions. Zelenka is seeking to represent herself and all others similarly situated whose information was compromised during what is described as a significant data breach.
According to the filing, between approximately October 6, 2024, and October 11, 2024, unauthorized actors accessed highly sensitive personal information stored by the defendants. The types of data reportedly exposed include first and last names along with Social Security numbers, dates of birth, driver’s license or state ID numbers, phone numbers, email addresses, passport numbers, financial account details (including routing numbers and bank names), credit or debit card information (with CVV codes), login credentials, medical diagnoses and treatment details, insurance information, prescription data, biometric identifiers, and more. The plaintiff alleges that this breadth of information provides cybercriminals with ample means to commit various forms of fraud.
The court documents state that upon learning about the breach—though no specific date is provided—the defendants “quickly engaged professionals experienced in handling these types of incidents” to investigate. However, it is alleged that their investigation was not completed until July 18, 2025—nine months after the initial incident—and that notification letters were not sent out until around August 22, 2025. This delay in notification forms part of the plaintiff’s grievance: “Defendants waited approximately ten months from the date of the Data Breach to directly notify affected individuals,” according to the complaint.
The lawsuit highlights that roughly 41,826 individuals were impacted by this breach based on reports submitted by the defendants to authorities. Despite this large number and the sensitivity of the compromised data—including protected health information governed under federal law—the plaintiff contends that critical details remain undisclosed. These include how attackers exploited vulnerabilities in security systems; which law enforcement agencies were notified; exactly what data was exposed; when precisely defendants learned about the breach; why there was a lengthy delay before notifying victims; or what steps have been taken since then to strengthen protections.
Zelenka alleges that both Legacy Treatment Services and Community Treatment Solutions had a duty—under common law as well as federal statutes such as HIPAA—to implement reasonable safeguards for private information. The complaint states: “Defendants owed a non-delegable duty…to implement and maintain reasonable and adequate security measures.” It further argues that failure to do so constitutes negligence per se under laws including Section 5 of the Federal Trade Commission Act (which prohibits unfair business practices) as well as HIPAA regulations requiring timely notification following breaches involving protected health information.
As described in her individual experience within the filing, Zelenka worked at Community Treatment Solutions from 2013 until 2020. She reports receiving notice in August 2025 confirming her own records were among those accessed during the breach. Since then she claims she has suffered identity theft—including an increase in spam calls—and discovered her personal details circulating on dark web forums. She estimates spending over fifteen hours monitoring accounts for suspicious activity since learning about her exposure.
The legal arguments presented seek relief for negligence; negligence per se; breach of fiduciary duty; breach of implied contract; unjust enrichment; declaratory relief; injunctive relief; monetary damages (including compensatory damages); statutory damages; punitive damages; equitable relief; reimbursement for out-of-pocket costs incurred due to monitoring or remediation efforts; improvements in security systems at both organizations; future annual audits; and provision of credit monitoring services funded by defendants.
Class certification is sought on behalf of all U.S. residents whose personal information was accessed during either this or any prior related breaches reported by Legacy Treatment Services or Community Treatment Solutions. Excluded from proposed class membership are judges presiding over this case (and their immediate families), current or former officers/directors/owners/employees of defendant entities themselves.
The case is being handled by attorney Philip J. Furia (NJ Bar No. 013152009) from Furia Law LLC based in Summit, New Jersey. The case identification number is Case No: 1:26-cv-04287.
