What began as a tech scare inside Legal Services of Long Island has turned into a full-fledged data-breach response. The nonprofit says an unauthorized party got into parts of its computer systems and may have accessed sensitive client records. The group, which provides free civil-legal help across Nassau and Suffolk counties, reports that it brought in cybersecurity specialists to investigate and contain the incident. Clients have started receiving notification letters, and the agency says it is offering identity-protection services to those affected.
The scope of the breach
According to Claim Depot, a forensic team began reviewing files on Jan. 5, 2026, and on May 15, 2026, determined that an unauthorized third party had accessed certain systems and removed data. The report says the exposed material may include names, dates of birth, Social Security numbers, government identification numbers, biometric information, credit and debit account data, and diagnosis and treatment records. Claim Depot also notes that the organization began notifying several state attorneys general on June 12, 2026.
Who was affected and where they can get help
According to Legal Services of Long Island, the agency operates offices in Hempstead, Islandia and Riverhead and serves thousands of low-income and disabled residents with housing, public-benefits and healthcare-access matters. The locations page lists phone numbers and walk-in information that clients can use to ask questions about notices or to request help. Given the organization’s client base, exposure of medical and financial records could pose heightened risks for people who rely on the nonprofit for basic legal safety nets.
Identity protection and enrollment details
Claim Depot reports that Legal Services of Long Island is offering affected individuals free identity-protection services through IDX. According to IDX’s site, those services include up to 24 months of credit monitoring, dark-web scanning and an insurance reimbursement policy. IDX’s site also describes its breach-response and consumer-enrollment services and provides a portal for people who received notification letters to enroll. The reporting notes an enrollment phone number and indicates that the enrollment deadline in the notice is Sept. 1, 2026.
What to do if you receive a notice
If a letter arrives saying your information may have been exposed, federal guidance recommends freezing your credit, checking your credit reports and reporting suspected identity theft at IdentityTheft.gov. The Federal Trade Commission’s site offers step-by-step recovery plans along with templates for disputing fraudulent charges and correcting credit records, so people are not starting from scratch if something looks off.
Legal and regulatory questions
Because the files reportedly included protected health information, the incident raises questions about breach-notification duties under HIPAA and related state laws. Federal guidance on the HIPAA Breach Notification Rule from the Department of Health and Human Services explains that covered entities and business associates must notify the HHS Office for Civil Rights when there is a breach of unsecured PHI and must follow specific reporting timelines and content requirements. State attorneys general also publish breach notices and may investigate whether an organization’s security practices met legal obligations.
Why this matters locally
Legal Services of Long Island is a long-standing legal-aid provider on the island, and this breach hits a population that often has the fewest resources to deal with identity theft or misuse of medical records. For questions about whether you were affected, the group directs people to call the numbers listed on its locations page or to follow the enrollment instructions printed in any notification letter they receive.
