Addiction rehabilitation center American Addiction Centers, Inc. based in Brentwood, TN recently reported a cybersecurity incident that impacted 410,747 present and past patients whose protected health information (PHI) may have been stolen. The notification letter sent to the Maine Attorney General confirmed the compromise of the following data: names, birth dates, addresses, telephone numbers, Social Security numbers, medical record numbers, medical insurance data, and other identifiers. The unauthorized third party didn’t access any financial or treatment data. The stolen information associated with patients of American Addiction Centers along with its affiliated organizations, the Greenhouse (TX), AdCare (MA & RI), Oxford Treatment Center (MS), Desert Hope Center (NV), River Oaks Treatment Center (FL), Recovery First (FL), Laguna Treatment Hospital (CA), and Sunrise House (NJ).
American Addiction Centers discovered the cyberattack on or about September 26, 2024, and hired third-party cybersecurity specialists to investigate the attack. The rehabilitation center immediately contained the attack and notified law enforcement. According to the forensic investigation, a threat actor accessed its systems from September 23 to September 24, 2024, and at that time, extracted files with patient data.
American Addiction Centers stated protective procedures were enforced before the attack to secure patient information, and extra security practices will be enforced to boost the safety of its IT systems. The impacted people were informed by mail on December 23, 2024, and were provided free credit report, credit score, and single bureau credit monitoring services for one year.
There was no mention in the notification letters about the name of the attacker; nevertheless, the Rhysida ransomware group professed to be responsible for the attack. Rhysida has performed many ransomware attacks on healthcare providers which include Axis Health System, Lurie Children’s Hospital, and Prospect Medical. Rhysida tries to sell the stolen information when no ransom payment is received. If there is no buyer, the stolen information is exposed on the ransomware group’s data leak website, like what happened in this attack. The group exposed 2.8 TB of data that cannot be purchased. Therefore, people who get a notification letter regarding the data breach ought to make sure they enroll in credit monitoring services immediately and keep track of their accounts carefully. Covered entities should be ready for cyberattacks such as this and provide HIPAA training to prevent stolen PHI.