American Addiction Centers, a substance abuse treatment company based in Tennessee, recently disclosed a major data breach that exposed the personal details of approximately 422,424 individuals. The company, founded in 2007, boasts the largest network of rehab facilities nationwide, operating both in-patient and outpatient treatment centers across multiple states.
According to reports, the data breach occurred over a four-day period in late September, with the attackers successfully stealing sensitive information such as names, addresses, phone numbers, dates of birth, medical record numbers, Social Security numbers, and health insurance details of the affected individuals. Additionally, the breach also compromised the privacy of the victims by exposing their status as patients at an addiction treatment center.
The intrusion was first detected by the company on October 3, and an investigation into the incident is currently underway with the involvement of law enforcement agencies. American Addiction Centers has started notifying the victims of the breach through a data breach notification dated Tuesday.
The cybercriminal group known as Rhysida ransomware has claimed responsibility for the attack and subsequent data theft. In a post on their data leak site, the group threatened to release the stolen data unless a ransom of 20 bitcoins (equivalent to approximately $1.9 million) was paid. Despite their claims, cybersecurity experts have advised caution as such groups often inflate their demands to create panic and pressure on their victims.
This is not the first time Rhysida ransomware has targeted healthcare organizations. Since mid-2023, the group has been involved in several high-profile attacks on healthcare and public health sector entities, including hospitals, mental health providers, and health systems across various states. The group’s tactics involve stealing sensitive data and then demanding ransom payments in exchange for not releasing the information publicly.
American Addiction Centers gained attention in 2014 when it became the first publicly traded addiction treatment provider in the U.S. However, the company faced financial challenges in subsequent years, leading to its delisting from the New York Stock Exchange in 2019. Following a period of bankruptcy protection, the company reemerged in 2020 but now trades over the counter.
As the investigation into the data breach continues, affected individuals are advised to remain vigilant about any potential misuse of their personal information. The incident serves as a reminder of the growing threat of cybercrime, especially targeting organizations that handle sensitive medical data. Cybersecurity measures and data protection protocols are crucial in safeguarding individuals’ private information from unauthorized access and exploitation.