American Addiction Centers Data Breach Affects 422,424 People

American Addiction Centers, Inc., a leading provider of substance abuse treatment services, recently experienced a significant data breach that compromised the sensitive personal information of 410,747 individuals across the United States. The breach occurred over a span of four days, from September 23 to September 26, 2024, and was discovered on November 22, 2024.

During this breach, a wide range of consumer information was exposed:

• Names
• Addresses
• Social Security numbers
• Driver’s license numbers
• Financial information (e.g., account numbers, credit or debit card numbers)
• Medical records
• Health insurance information
• Dates of birth

The breach was reported to various authorities, including the California Attorney General on December 24, 2024, the Maine Attorney General on December 27, 2024, the Massachusetts Attorney General on December 24, 2024, and the Texas Attorney General on December 23, 2024. Additionally, the breach was disclosed to the U.S. Department of Health and Human Services on November 25, 2024.

The breach affected individuals in multiple states, with the following breakdown of impacted individuals:

• 26,450 individuals in Texas
• 669 individuals in Maine
• 115,846 individuals in Massachusetts

The breach has been classified as severe due to the nature of the information exposed. Social Security numbers, medical records, and financial information are highly sensitive and can be exploited for identity theft, financial fraud, and other malicious activities.

American Addiction Centers' response

In response to the breach, AAC took several steps to address the situation and protect affected individuals. The company began notifying consumers of the incident on December 23, 2024, using multiple methods, including written notices, U.S. mail, postings on its website, and broadcasts via Texas-wide media.

AAC also offered affected individuals free identity monitoring services through Cyberscout. Consumers were encouraged to enroll in these services by March 31, 2025. The monitoring services include tools to help detect and mitigate identity theft and fraud. Additionally, AAC established a dedicated, toll-free call center to assist individuals with questions or concerns related to the breach.

Affected by the AAC data breach?

If you were notified that your information was part of the AAC data breach, it is crucial to take immediate steps to protect yourself. Given the sensitive nature of the exposed information, you should prioritize the following actions:

1. Enroll in the free identity monitoring services offered by AAC. Visit Cyberscout's enrollment page and use the unique code provided in your notification letter to activate the service before March 31, 2025.
2. Monitor your financial accounts and credit reports. Regularly review your bank and credit card statements for any unauthorized transactions. You are entitled to one free credit report annually from each of the three major credit reporting agencies, which you can access at AnnualCreditReport.com.
3. Place a fraud alert on your credit file. Contact one of the three major credit bureaus—Equifax, Experian, or TransUnion—to add a fraud alert to your credit file. This will notify creditors to verify your identity before opening new accounts in your name.
4. Consider placing a security freeze on your credit report. A security freeze prevents creditors from accessing your credit report without your permission, making it harder for identity thieves to open accounts in your name. You can request a freeze through the credit bureaus’ websites.
5. Be vigilant for phishing attempts. Scammers may attempt to exploit the breach by sending fraudulent emails or messages pretending to be AAC or other trusted entities. Avoid clicking on suspicious links or providing personal information unless you are certain of the sender’s identity.
6. Report any suspicious activity. If you notice unauthorized transactions or suspect identity theft, report it immediately to your financial institution and file a complaint with the Federal Trade Commission (FTC).
7. Contact your state’s attorney general if needed. If you have additional concerns, you can reach out to your state’s attorney general for guidance. For example, Massachusetts residents can contact the Office of the Massachusetts Attorney General.

By taking these steps, you can help safeguard your personal information and minimize the risk of identity theft or fraud.