Approximately 411,000 American Addiction Centers Patients Impacted by Ransomware Attack

by | Dec 29, 2024

Addiction rehabilitation center American Addiction Centers, Inc. based in Brentwood, TN recently reported a cybersecurity incident that impacted 410,747 present and past patients whose protected health information (PHI) may have been stolen. The notification letter sent to the Maine Attorney General confirmed the compromise of the following data: names, birth dates, addresses, telephone numbers, Social Security numbers, medical record numbers, medical insurance data, and other identifiers. The unauthorized third party didn’t access any financial or treatment data. The stolen information associated with patients of American Addiction Centers along with its affiliated organizations, the Greenhouse (TX), AdCare (MA & RI), Oxford Treatment Center (MS), Desert Hope Center (NV), River Oaks Treatment Center (FL), Recovery First (FL), Laguna Treatment Hospital (CA), and Sunrise House (NJ).

American Addiction Centers discovered the cyberattack on or about September 26, 2024, and hired third-party cybersecurity specialists to investigate the attack. The rehabilitation center immediately contained the attack and notified law enforcement. According to the forensic investigation, a threat actor accessed its systems from September 23 to September 24, 2024, and at that time, extracted files with patient data.

American Addiction Centers stated protective procedures were enforced before the attack to secure patient information, and extra security practices will be enforced to boost the safety of its IT systems. The impacted people were informed by mail on December 23, 2024, and were provided free credit report, credit score, and single bureau credit monitoring services for one year.

There was no mention in the notification letters about the name of the attacker; nevertheless, the Rhysida ransomware group professed to be responsible for the attack. Rhysida has performed many ransomware attacks on healthcare providers which include Axis Health System, Lurie Children’s Hospital, and Prospect Medical. Rhysida tries to sell the stolen information when no ransom payment is received. If there is no buyer, the stolen information is exposed on the ransomware group’s data leak website, like what happened in this attack. The group exposed 2.8 TB of data that cannot be purchased. Therefore, people who get a notification letter regarding the data breach ought to make sure they enroll in credit monitoring services immediately and keep track of their accounts carefully. Covered entities should be ready for cyberattacks such as this and provide HIPAA training to prevent stolen PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy