American Addiction Centers (AAC) has notified 422,424 individuals that their personal information was stolen in a cyber-attack attributed to the Rhysida criminal organization. The incident was discovered on September 26, 2024, and the notification letter to affected individuals confirmed that the information exfiltrated included names, Social Security numbers, and health insurance information. AAC is offering individuals 12 months of credit monitoring.

The criminal organization Rhysida has claimed responsibility for the attack and added AAC to its leak site. It states that it stole around 2.8TB of data and “has made most of it available publicly.”