Brentwood, TN-based rehabilitation center American Addiction Centers, Inc., recently disclosed a data breach affecting 410,747 patients, exposing their protected health information (PHI).
What happened
American Addiction Centers (AAC) confirmed a cybersecurity incident compromised 410,747 current and former patients’ PHI. The breach was detected on September 26, 2024, and involved unauthorized access to AAC systems between September 23 and September 24, 2024.
Data exfiltrated included names, addresses, phone numbers, Social Security numbers, dates of birth, medical record numbers, and health insurance information. While financial and treatment information was not accessed, notification letters were sent to affected individuals on December 23, 2024, offering free credit monitoring services.
The Rhysida ransomware group has since claimed responsibility, leaking 2.8 TB of stolen data online after failing to secure a ransom.
Going deeper
The breach also impacted AAC’s affiliated providers including:
- AdCare (MA & RI)
- The Greenhouse (TX)
- Desert Hope Center (NV)
- Oxford Treatment Center (MS)
- Recovery First (FL)
- Sunrise House (NJ)
- River Oaks Treatment Center (FL)
- Laguna Treatment Hospital (CA)
In the know
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes the Rhysida ransomware group as “an emerging ransomware variant” that has “predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.”
The group is known for double-extortion tactics, previously attacking institutions like Prospect Medical and Lurie Children’s Hospital.
By the numbers
- 410,747 patients were affected by the breach.
- 2.8 TB of stolen data leaked online.
- 9 affiliated providers impacted.
- 12 months of free credit monitoring services offered to patients.
Why it matters
Healthcare organizations are entrusted with highly sensitive data, including personal and medical information. So, when cybersecurity breaches occur, they could have long-term implications for affected individuals, like identity theft and fraud, as well as reputational damage to the affected organization and the broader healthcare sector.
The bottom line
Cybersecurity in healthcare remains a pressing concern as ransomware attacks escalate. Organizations must improve cybersecurity to protect sensitive patient data and maintain HIPAA compliance.
Additionally, affected individuals should use the credit monitoring services offered and closely monitor their accounts.
Read also: The 10 biggest health data breaches of 2024
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
