Addiction treatment provider operating rehab and recovery programs.
In September 2024, American Addiction Centers suffered a ransomware attack attributed to the Rhysida group, detected around September 26, 2024. Rhysida claimed to have exfiltrated approximately 2.8 terabytes of data and published it online after the incident. AAC notified 422,424 individuals on December 23, 2024. Exposed data included names, Social Security numbers, dates of birth, addresses, phone numbers, medical record numbers, treatment/medical information, and health insurance information. The breach is catalogued by DataBreach.com (whose parse cited 528,343 records) and reported to state regulators; AAC offered credit monitoring and later reached a class-action settlement.
ObscureIQ assessment: Extremely sensitive. Exposure creates identity theft and medical fraud risk, but the greater danger is reputational harm, extortion, stigma-based targeting, and manipulation tied to addiction treatment history.
The breach exposed identity, contact, and clinical data, including Social Security numbers and addiction-treatment information, for more than 422,000 patients, a population for whom disclosure of treatment status carries severe stigma. Beyond identity-theft and medical-fraud risk, the exposure created acute potential for extortion and discrimination, eroded patient trust in a highly sensitive care setting, and generated significant legal and regulatory consequences.
American Addiction Centers (AAC) is a Tennessee-based national provider of substance-use and behavioral-health treatment, operating a network of inpatient and outpatient rehabilitation facilities across the United States. It delivers detox, residential, and outpatient addiction treatment along with mental-health services, maintaining detailed clinical, insurance, and billing records for patients in recovery.
Addiction treatment networks collect highly sensitive patient data, including identity records, SSNs, home addresses, insurance information, medical record details, and treatment-related health data.
AAC continues to operate its national treatment network. After the September 2024 ransomware attack it notified 422,424 individuals, offered credit monitoring, and faced multiple class-action lawsuits, which it resolved through a reported $2.75 million settlement. The incident drew particular scrutiny because substance-use treatment records carry heightened federal protection under 42 CFR Part 2.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.
If you believe your information may be included:
In September 2024, American Addiction Centers suffered a ransomware attack attributed to the Rhysida group, detected around September 26, 2024. Rhysida claimed to have exfiltrated approximately 2.8 terabytes of data and published it online after the incident. AAC notified 422,424 individuals on…
Verified fields include Date of Birth, Email Address, Full Name, Health Insurance, Medical Diagnosis, Medical Record Number, Phone Number, Physical Address, Social Security Number.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation