Breach Hits Drug Testing Firm in 2024; Informs Customers Year Later, Law Firm Alleges

"Although the breach occurred in July 2024, TADTS did not begin notifying affected individuals until on or around July 18, 2025," which possibly put the firm in violation of laws, Schubert Jonckheer said in a press release. The lawyers are investigating the breach on behalf of potential victims.

Data exposed may include Social Security numbers, passport numbers, bank/financial information, credit/debit card information, health insurance information, US Citizen and Immigration Services (USCIS) or alien registration numbers, and biometric information, Schubert Jonckheer said. TADTS conducts testing for state and federal agencies as well as private employers.

A page on the TADTS site notifies visitors of the breach. It said that "on July 9, 2024, TADTS became aware of a potential compromise to data maintained in our systems," and "immediately took steps to investigate, contain, and remediate the situation, including changing passwords, enhancing our endpoint detection protocols, and engaging experienced privacy and cybersecurity professionals to assist."

The information the website said was leaked mirrors what the law firm listed in its press release, though it did not divulge the number of people impacted. In addition, TADTS said it "reported this Incident to relevant government agencies," though it did not say when it did.

The Maine attorney general's office reported the breach on July 17, saying that two of the 748,763 affected were Maine residents. In the attached sample notification letter, TADTS said it is "unaware of any fraud or identity theft in relation to the Incident," but recommended those impacted monitor free credit reports. The Vermont OAG also reported the breach July 17, and included the same sample letter.