Petition Update: AAC Data Breach Affects Over 400,000 — My Records Were Compromised
Posted on April 24, 2025
I just received a letter from American Addiction Centers (AAC) confirming that my personal records were compromised in their recent data breach — a breach that has affected over 400,000 people. This letter, dated December 23, 2024, was AAC's "Christmas gift" to me and countless others, revealing that sensitive information like names, addresses, social security numbers, and treatment details may have been accessed by an unauthorized party between September 23 and September 26, 2024. You can read the full letter below (with my personal details redacted for privacy). It’s clear that although the attack happened in 2024, rest assured older patient records were accessible.
This breach is yet another example of AAC's failure to protect the people they claim to serve. As many of you know, AAC has a troubling history — from kicking people out based on personal bias (staff deciding they "just don’t like someone") while letting others get away with the same behavior, to the tragic reality that people have died on their campuses. This data breach only adds to the growing list of reasons why we need to hold AAC accountable.
In late September 2024, American Addiction Centers (AAC), a Tennessee-based network of addiction treatment facilities, experienced a significant data breach that compromised the personal and health information of over 422,000 individuals.
What Happened
The breach occurred between September 23 and 26, 2024, when unauthorized access to AAC's IT systems allowed attackers to exfiltrate sensitive data. The Rhysida ransomware group claimed responsibility for the attack, stating they had stolen approximately 2.8 terabytes of data. After unsuccessful ransom negotiations, the group leaked the data online.
The breach affected both patients and employees, exposing:
Full names
Addresses
Phone numbers
Dates of birth
Social Security numbers
Medical record numbers
Health insurance information
Impacted Facilities
The breach extended to AAC's affiliated treatment centers across eight states, including:
AdCare (Massachusetts & Rhode Island)
The Greenhouse (Texas)
Desert Hope Center (Nevada)
Oxford Treatment Center (Mississippi)
Recovery First (Florida)
Sunrise House (New Jersey)
River Oaks Treatment Center (Florida)
Laguna Treatment Hospital (California)
Response and Legal Actions
AAC discovered the breach on September 26, 2024, and initiated an investigation with cybersecurity experts. By October 3, they confirmed the extent of the data exfiltration. Notifications to affected individuals began on December 23, 2024.
In response to the breach, several law firms have initiated investigations and potential class action lawsuits against AAC, aiming to secure compensation for those affected .
Protecting Yourself
If you received a notification from AAC regarding this breach, consider the following steps:
Credit Monitoring: Enroll in any credit monitoring services offered.
Monitor Financial Accounts: Regularly check your bank and credit accounts for unauthorized activity.
Report Suspicious Activity: Immediately report any signs of identity theft or fraud to the relevant authorities.
Legal Consultation: Consult with a legal professional to understand your rights and potential for compensation.
Given the sensitivity of the information involved, it's crucial to remain vigilant and proactive in protecting your personal data
If you’ve been personally affected by AAC, whether through this breach or their broader misconduct, I urge you to read their letter carefully and follow the steps they recommend to protect your identity. But don’t stop there. In my previous update, I shared a full transcript of my phone call with a lawyer in Tampa representing the family of someone who died at AAC. It exposes, in detail, just how deep their misconduct goes. Please take a moment to read it and join me in demanding justice and reform.
Below is the letter I received from AAC, with my name and address redacted for privacy:
Data Breach Notification
c/o Cyberscout
PO Box 1286
Dearborn, MI 48120-9988
PL47X100807184
[REDACTED NAME]
[REDACTED ADDRESS]
December 23, 2024
Dear [REDACTED NAME]:
American Addiction Centers, Inc., and its affiliated providers, including AdCare, the Greenhouse, Desert Hope Treatment Center, Recovery First, Sunrise House, River Oaks, Treatment Center, and Laguna Treatment Hospital, ("AAC" or "we") believe that the privacy and security of your health information is important and are committed to protecting it. We are writing to notify you that a cybersecurity incident at AAC may have involved some of your personal information. This notice explains the incident, the measures we have taken in response, and the steps individuals can take for further protection.
WHAT HAPPENED: On or around September 26, 2024, AAC learned that it was experiencing a cybersecurity incident. AAC immediately launched an investigation and engaged leading third-party cybersecurity experts to assist. On October 3, 2024, the investigation determined also that an unauthorized party had taken some data from AAC systems between September 23 and September 26, 2024. A thorough review of the impacted data was conducted to identify what information was related to the use of any affected individual’s information, including yours.
WHAT INFORMATION WAS INVOLVED: The impacted data may have included the following information about you: name, address, phone number, date of birth, medical record number or other identifier, social security number, treatment information, and health insurance information. The incident did not affect payment card data.
WHAT WE ARE DOING: After becoming aware of the incident, AAC immediately took additional protective measures to safeguard its systems and worked with leading cybersecurity experts to conduct a comprehensive investigation of the incident. AAC notified law enforcement and is cooperating with their investigation. To help prevent similar incidents from happening in the future, AAC implemented and is continuing to implement additional security protocols designed to enhance the security of its IT system environments.
We want you to feel confident that your data is secure. To help protect your identity, we are offering you Single Bureau Credit Monitoring, Single Bureau Credit Report, and Single Bureau Credit Score services at no charge. These services provide you with alerts for twelve (12) months from the date of enrollment when changes occur to your credit file. Alerts will be sent to you the same day that the change or update takes place with the bureau. Finally, we are providing you with proactive fraud assistance to help with any questions that you might have or in the event that you become a victim of fraud. These services will be provided by Cyberscout, a TransUnion company specializing in fraud assistance and remediation services.
To enroll in Cyberscout credit monitoring services at no charge, please log on to https://bfs.cyberscout.com/activate and follow the instructions provided. When prompted please provide the following unique code to receive services: D3D2CFC81D2F9
Let’s keep pushing for accountability and change. Share your story, sign the petition, and help us ensure that AAC can’t continue to fail those who need help the most.
Thank you for your support.