Brentwood, TN-based rehabilitation center American Addiction Centers, Inc., recently disclosed a data breach affecting 410,747 patients, exposing their protected health information (PHI).
American Addiction Centers (AAC) confirmed a cybersecurity incident compromised 410,747 current and former patients’ PHI. The breach was detected on September 26, 2024, and involved unauthorized access to AAC systems between September 23 and September 24, 2024.
Data exfiltrated included names, addresses, phone numbers, Social Security numbers, dates of birth, medical record numbers, and health insurance information. While financial and treatment information was not accessed, notification letters were sent to affected individuals on December 23, 2024, offering free credit monitoring services.
The Rhysida ransomware group has since claimed responsibility, leaking 2.8 TB of stolen data online after failing to secure a ransom.
The breach also impacted AAC’s affiliated providers including:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes the Rhysida ransomware group as “an emerging ransomware variant” that has “predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.”
The group is known for double-extortion tactics, previously attacking institutions like Prospect Medical and Lurie Children’s Hospital.
Healthcare organizations are entrusted with highly sensitive data, including personal and medical information. So, when cybersecurity breaches occur, they could have long-term implications for affected individuals, like identity theft and fraud, as well as reputational damage to the affected organization and the broader healthcare sector.
Cybersecurity in healthcare remains a pressing concern as ransomware attacks escalate. Organizations must improve cybersecurity to protect sensitive patient data and maintain HIPAA compliance.
Additionally, affected individuals should use the credit monitoring services offered and closely monitor their accounts.
Read also: The 10 biggest health data breaches of 2024
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.