AACOM reports data breach affecting almost 68K

The American Association of Colleges of Osteopathic Medicine (AACOM) recently disclosed a data breach that may have exposed the protected health information (PHI) of almost 68,000 individuals.

What happened

On September 26, 2024, AACOM reported suspicious activity in an employee’s email account. Soon after, an internal investigation later confirmed that an unauthorized third party may have accessed and exfiltrated sensitive personal information. The organization completed its data review on March 31, 2025, identifying the potentially compromised information.

On April 8, 2025, AACOM began mailing breach notification letters to affected individuals. Impacted data may include names and Social Security numbers. Additionally, the organization is offering complimentary credit and cyber monitoring services to affected individuals.

What was said

The AACOM breach notification letter states, “Although we have no evidence of the misuse of any information as a result of this incident, we are also offering you complimentary identity protection services through IDX, a data breach and recovery services expert. IDX identity protection services include: 12 months/24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services.”

The letter further read, “With this protection, IDX will help you resolve issues if your information is compromised. You can enroll in the IDX services by calling 1-877-798-4138 or by going to https://app.idx.us/account-creation/protect and using the enrollment code provided above. Please note the deadline to enroll is July 8, 2025.”

In the know

According to Paubox’s 2025 Healthcare Email Security Report:

• Only 5% of phishing attacks are reported by employees, making early detection nearly impossible.
• Only 1.1% of healthcare organizations had a low-risk email security posture, exposing widespread vulnerabilities.
• 43.3% of email-related breaches occurred on Microsoft 365.
• Email platforms like Barracuda, Mimecast, and Proofpoint accounted for 26.7% of breaches.

Ultimately, the AACOM breach shows how over-reliance on default security settings, poor adoption of authentication protocols, and limited employee awareness put healthcare and educational organizations at constant risk.

Healthcare organizations must use a HIPAA compliant email solution that uses automatic encryption, inbound threat protection, and monitoring to mitigate the risk of potential data breaches.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

Are there any costs associated with placing a fraud alert or credit freeze?

No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.