Legal Services of Long Island Data Breach Exposes Social Security Numbers and Health Information

Non-profit data breach illustration
Breach Discovery: 5th January 2026Breach Notification: 12th June 2026

What Happened in the Legal Services of Long Island Data Breach?

Legal Services of Long Island, a non-profit law firm that provides free civil legal help to low-income and disabled residents of Nassau and Suffolk Counties, has disclosed a major data breach. The organization detected suspicious activity within its technical environment and moved quickly to respond. As a result, this Legal Services of Long Island data breach now affects tens of thousands of people whose sensitive information was stored in the organization’s systems.

After spotting the unusual activity, the organization brought in outside cybersecurity and digital forensics specialists to contain the incident. On Jan. 5, 2026, the forensic team began reviewing files that an unauthorized third party had accessed. This review process took several months, which is common in breaches involving large volumes of sensitive files that require careful examination before conclusions can be drawn.

On May 15, 2026, the investigation confirmed that an unauthorized third party had accessed certain systems within the organization’s network. In addition, the investigation found that this party had removed data from the environment. Because the organization serves vulnerable populations, including disabled and low-income residents, the exposure of personal and health data raises particular concern.

Following the completion of its investigation, Legal Services of Long Island reported the breach to state regulators. The organization notified the Massachusetts Office of Consumer Affairs and Business Regulation and the Vermont Attorney General starting on June 12, 2026. These filings are a standard part of the breach notification process and helped bring the incident to public attention.

Who was affected?

The breach affects individuals connected to Legal Services of Long Island, likely including current and former clients who received free legal assistance from the organization. Because the non-profit primarily serves low-income and disabled residents, many affected individuals may already face barriers to recovering from identity theft or fraud. This makes the breach especially concerning for the population it touched.

According to a report filed with the Indiana Attorney General, a total of 94,434 people were impacted by this incident. The organization has not publicly disclosed further demographic breakdowns of the affected group. However, given the nature of the organization’s work, both personal clients and possibly their family members could be included among those affected.

The breach appears to be centered on residents of Nassau and Suffolk Counties in New York, where the organization operates. Still, because breach notifications went to attorneys general in Massachusetts and Vermont, affected individuals may reside in other states as well. This suggests the impacted population extends beyond New York alone.

What Information Was Potentially Exposed?

The exposed data includes a wide range of personally identifiable and protected health information. This combination of data types makes the breach particularly serious, since it gives criminals multiple ways to exploit victims. The following categories of information were confirmed as compromised:

  • Full names and addresses
  • Dates of birth
  • Social Security numbers
  • Government ID numbers
  • Biometric information
  • Credit and debit account information
  • Financial account codes
  • Diagnosis information
  • Treatment information
  • Doctor or medical professional names

Because Social Security numbers and government ID numbers were exposed, affected individuals face a heightened risk of identity theft. Criminals can use this information to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. As a result, victims may not discover the fraud until significant damage has already occurred.

In addition, the exposure of financial account information and biometric data raises further concerns. Unlike a password, biometric information cannot simply be changed if it falls into the wrong hands. Meanwhile, the exposure of diagnosis and treatment information could lead to medical identity theft, where someone uses stolen health details to obtain medical services or prescriptions fraudulently.

What is the company doing?

Once Legal Services of Long Island detected the suspicious activity, it acted quickly to contain the threat. The organization engaged cybersecurity and forensic experts to investigate the scope of the intrusion. This response allowed the organization to determine which files and systems were affected before notifying regulators and impacted individuals.

In response to the breach, Legal Services of Long Island is now offering free identity theft protection services through IDX, a data breach recovery services provider. The IDX package includes up to 24 months of credit monitoring with around-the-clock coverage. It also includes a $1,000,000 insurance reimbursement policy and a dark web monitoring tool to help detect misuse of personal information.

Affected individuals who received a notification letter can enroll in these protections through the IDX enrollment page, by phone, or by scanning a QR code included in their letter. Because an enrollment code is required, individuals should keep their notification letter in a safe place. IDX representatives are available Monday through Friday from 9 a.m. to 9 p.m. Eastern Time to help with enrollment and answer questions. The deadline to enroll is Sept. 1, 2026.

What Should Affected Individuals Do?

Enroll in the Free Identity Protection Services

Anyone who received a notification letter should consider enrolling in the free IDX identity protection services right away. This offer includes valuable tools like credit monitoring and dark web monitoring that can help detect fraud early. Because the enrollment deadline is Sept. 1, 2026, affected individuals should not wait too long to sign up.

To enroll, individuals will need the enrollment code found in their letter. This code confirms that a specific person was part of the breach and allows access to the services. If a letter has been lost, contacting IDX directly by phone may help resolve the issue before the deadline passes.

Place a Fraud Alert or Credit Freeze

Because Social Security numbers and financial account details were exposed, affected individuals should strongly consider placing a fraud alert or credit freeze on their credit files. A fraud alert requires lenders to verify identity before opening new credit in someone’s name. This extra step can prevent criminals from easily using stolen information.

A credit freeze offers even stronger protection by restricting access to a person’s credit report entirely. As a result, most lenders cannot open new accounts until the freeze is lifted. Individuals can request a freeze through each of the three major credit bureaus, and it typically remains free and reversible whenever needed.

Monitor Health Records and Insurance Statements

Since diagnosis and treatment information were exposed, affected individuals should watch for signs of medical identity theft. This means reviewing insurance statements for unfamiliar charges or services never received. If something looks incorrect, contacting the healthcare provider or insurer right away can help limit further misuse.

In addition, requesting a copy of one’s medical records periodically can help catch inaccuracies caused by fraudulent activity. Medical identity theft can be harder to detect than financial fraud because it may not show up on a credit report. Therefore, staying alert to unusual medical bills or collection notices is especially important after this type of breach.

Stay Alert for Phishing Attempts

Following any data breach, scammers often try to take advantage of the situation through phishing emails, texts, or phone calls. These messages might pretend to be from Legal Services of Long Island or IDX in an attempt to steal even more personal information. Because of this, individuals should be cautious about clicking links or sharing details in response to unexpected messages.

Instead, anyone unsure about a message’s legitimacy should contact the organization or IDX directly using verified contact information. Never provide personal details in response to unsolicited requests. This simple habit can prevent scammers from causing additional harm after the initial breach.

Consider Consulting a Data Breach Attorney

Given the sensitive nature of the exposed information, affected individuals may want to speak with a data breach attorney about their legal options. An attorney can help explain whether compensation may be available for time spent addressing the breach or for any resulting harm. This is especially relevant given the scale of the incident and the sensitivity of the health data involved.

Many attorneys who handle data breach cases offer free initial consultations. This means individuals can learn about their rights without any upfront cost. Because deadlines for legal claims can vary, reaching out sooner rather than later is generally the safer approach.



More Information

Official Source

Official Data Breach Notification Letter (PDF)

Official Source

Official Source

Official Source

Related Data Breaches