A cyberattack on the American Association of Critical-Care Nurses compromised payment and personal data tied to online transactions earlier this year.
What happened
The American Association of Critical-Care Nurses (AACN), based in California, has disclosed a data breach that exposed sensitive payment information belonging to nearly 60,000 customers. The breach affected individuals who made purchases on AACN’s website between March 8 and July 31, 2025.
Suspicious activity was detected earlier this year, prompting AACN to launch an investigation with external cybersecurity specialists. By July 31, the investigation confirmed that unauthorized access had occurred through the organization’s website payment system.
Going deeper
The exposed data included full payment card details such as card numbers, expiration dates, and CVV codes, along with names, email addresses, phone numbers, and both billing and shipping addresses. AACN’s filing with the Maine Attorney General’s Office listed 57,526 impacted individuals, although the number may be higher due to uncertainties around which specific transactions were accessed.
AACN stated that it notified affected users out of caution, as the investigation could not definitively determine which payment cards were compromised. In response, the organization has updated its website’s security infrastructure and taken additional measures to harden its payment systems.
What was said
“We take the security of our customers’ and members’ information very seriously,” AACN said in its official notice. The organization stated it has implemented additional safeguards to prevent similar incidents and is offering two years of complimentary identity protection and credit monitoring through IDX.
Customers have also been advised to monitor their accounts, credit reports, and benefit statements, and to report suspicious activity to both law enforcement and state regulatory authorities.
FAQs
What is a card skimming or “formjacking” attack, and could it apply here?
Formjacking involves injecting malicious code into website payment forms to harvest data during transactions. Although not confirmed, the timeline and nature of AACN’s breach suggest this method could have been used.
Why does the breach involve the Maine Attorney General’s Office?
Maine law requires entities to publicly report data breaches that affect its residents. Many organizations choose Maine’s registry as part of broader disclosure efforts.
Is IDX identity protection a government service?
No, IDX is a private company that provides identity theft protection and credit monitoring services, often contracted by organizations after a breach.
How long do stolen payment details typically remain useful to attackers?
Stolen card data can be sold or used quickly, but some attackers may store and resell the information over time. That’s why ongoing credit monitoring is recommended.
Does AACN store payment information permanently?
The breach notice does not specify AACN’s data retention practices. However, the fact that payment details were accessed suggests that some information was stored or temporarily held during transactions.
Farah Amod
