The college’s pharmacy and health sciences school recently suffered an attack impacting over 28,000 individuals.
What happened
Albany College of Pharmacy and Health Sciences (ACPHS) recently notified the Vermont Attorney General of a data breach impacting approximately 28,600 individuals. Although Albany College posted a data breach notice on April 11th, 2025, they notified the Attorney General several months later on June 16th, 2025..
According to the notice, ACPS initially discovered the breach on September 14th, 2024, but through an investigation, learned that the breach had taken place over a longer period of time. Once the breach was discovered, ACPH immediately took steps to remediate and investigate the incident. The investigation determined that an unauthorized actor accessed ACPHS’s network between August 31st, 2024 and September 14th, 2024.
The data breach notice was last updated on April 11th, 2025. At this time, ACPHS stated that their investigation was “still ongoing.”
Going deeper
ACPHS has stated that they conducted an “exhaustive review of the potentially impacted data” to determine which individuals may have been impacted. Currently, the college does not have any evidence to suggest financial fraud or identity theft has taken place.
Impacted information may have included first and last names, dates of birth, birth certificates, account numbers, routing numbers, security codes, marriage certificates, mother’s maiden names, digital signatures, passport numbers, government identification numbers, Social Security numbers, taxpayer ID numbers, driver’s license numbers, payment card numbers, payment card expiration dates, alien registration numbers, username and password, health insurance information, medical information, and student information. Impacted information varied by individual.
In total, ACPHS reported that 28,600 individuals were impacted in the breach.
Why it matters
Colleges often hold a plethora of sensitive data related both to a student’s academic registration, but also to their health, since most colleges offer health services. There were many types of data impacted in this incident, and it’s possible that some individuals may have had data from every type impacted. For those individuals, it’s possible that they could face identity theft threats–especially considering some information, like digital signatures and mother’s maiden names, are often used to bypass security measures.
Aside from this, ACPHS also took nearly a full year to report the breach to the Vermont Attorney General, suggesting that the investigation was still underway. Because of this, impacted individuals may have had their data exposed without them knowing. Relying solely on the Department of Health and Human Services or Attorney Generals’ for information could mean individuals learn about a breach months–or longer–after it happens. Individuals should always be diligent to keep up-to-date contact information with any organization that houses their data.
FAQs
Why did it take so long to file a breach notice with the Attorney General?
While it’s unclear what caused this particular delay, organizations often wait to report information to Attorney Generals if an investigation is ongoing. For instance, they may not have known how many individuals were impacted until recently.
Why were so many types of data involved?
Colleges tend to house a variety of data–some of it could be related to student healthcare, while other types could be related to a student's financial status, emergency contacts, and more. Unfortunately, if all of this data was stored in the same system, it could make a data breach more impactful.
Abby Grifno
