Nearly half a million people had data stolen after cyberattack on American Addiction Centers

A September ransomware attack on American Addiction Centers exposed the sensitive healthcare information of more than 400,000 people. 

The company began mailing out breach notification letters ahead of the Christmas holiday, warning 422,424 people that Social Security numbers and health insurance information were among the data leaked during the attack. 

The company runs a network of addiction rehab facilities across California, Florida, Texas, Nevada, Massachusetts, Mississippi, New Jersey and Rhode Island. 

A spokesperson did not respond to requests for comment about whether it was a ransomware attack. The Rhysida ransomware gang — known for several other attacks on healthcare networks in the U.S. — claimed to have attacked American Addiction Centers on November 16. 

The attack was discovered on September 26 when AAC said it “learned it was experiencing a cybersecurity incident.” After notifying law enforcement and hiring experts, an investigation revealed that the hackers had stolen troves of data between September 23 and 26. 

A recent review outlined the data stolen from customers, which includes names, addresses, phone numbers, medical record numbers and more. Payment card data and treatment information were not included in the breach. 

The company also filed breach notices in Texas, where more than 26,000 people were impacted, as well as California. 

The Rhysida ransomware has targeted other major healthcare operations in the past, attacking a large U.S. hospital network last year and in February shutting down a children’s hospital in Chicago. 

The ransomware-as-a-service operation caused nearly unparalleled damage throughout 2024 with large-scale attacks on the cities of Seattle and Columbus, Ohio that had significant real-world impact. In October the group tried to extort $1.3 million from disability nonprofit Easterseals.