American Addiction Centers (AAC) revealed that a major cyberattack in September 2023 exposed sensitive personal and healthcare information of 422,424 individuals. The company, which operates addiction rehabilitation facilities across eight U.S. states, began notifying affected individuals just before the Christmas holiday.
According to company statements, the breach occurred between September 23-26, when unauthorized actors gained access to AAC's systems. The stolen data included names, addresses, phone numbers, medical record numbers, Social Security numbers, and health insurance information. However, payment card data and treatment records were not compromised in the attack.
The Rhysida ransomware gang claimed responsibility for the breach on November 16. This group has previously targeted other healthcare organizations, including a major U.S. hospital network and a children's hospital in Chicago.
Upon discovering the breach on September 26, AAC immediately launched an investigation, engaged cybersecurity experts, and notified law enforcement. The company has since implemented additional security measures and is offering complimentary credit monitoring services for 12 months to affected individuals through Cyberscout, a TransUnion company.
While AAC states there is currently no evidence linking the exposed data to identity theft or fraud, the company advises affected individuals to remain vigilant and monitor their credit reports for suspicious activity. Those impacted can enroll in the protection services through March 31, 2025.
The breach has particularly affected residents in Texas, where over 26,000 people had their information exposed, leading to the filing of separate breach notices in both Texas and California.
A dedicated toll-free hotline has been established for affected individuals seeking additional information about the breach. The hotline operates Monday through Friday, from 8:00 a.m. to 8:00 p.m. Eastern Time at 1-833-833-2770.