The settlement follows a massive 2024 breach, resulting in 2.8 terabytes of data being leaked.
American Addiction Centers (AAC) has reached a class action settlement for a data breach that took place between September 23rd and 24th, 2024. Approximately 410,747 patients had their data breached. Stolen information included names, addresses, phone numbers, dates of birth, medical record numbers, Social Security numbers, health insurance information, and treatment information. The data was ultimately leaked online.
Following the incident, 12 class action suits were filed, which were all ultimately consolidated on February 18th, 2025. Ultimately, AAC agreed to a settlement of $2.75 million, which will go towards victims, the class representatives, and legal/administrative fees.
American Addiction Centers is a Tennessee-based addiction rehabilitation center. According to their data breach notice, a cyberattack was first detected in their systems on September 26th, 2024, individuals were notified of the incident on December 23rd of the same year.
While AAC did not officially state the incident was a ransomware attack, hacker group Rhysida claimed responsibility for the incident and demanded a ransom. It’s believed the ransom went unpaid, as the malicious group ultimately leaked 2.8 terabytes of data.
Rhysida is a ransomware-as-a-service (Raas) group believed to be based out of Russia, emerging in 2023. As a RaaS, Rhysida is known to sell ransomware services to other, less skilled cybercriminals. Rhysida has been known to target healthcare organizations, like Prospect Medical, Lurie Children’s Hospital, and others.
According to a 2025 CISA update, Rhysida specifically targets organizations based on opportunity, meaning they look for vulnerabilities amongst many organizations, including education, healthcare, IT, and government sectors, and choose victims based on who may seem the easiest or most profitable to infiltrate.
Class action lawsuits are becoming more common in the healthcare sector as a tool to hold healthcare organizations accountable for data breaches and provide restitution to victims. These incidents can also serve as a warning to other healthcare organizations to prioritize cybersecurity and proactively prevent breaches. Paubox has previously noted that the cost of a breach against healthcare providers has risen substantially, now up to $11 million. Each year, the costs seem to rise, encompassing lawsuits, regulatory fines, operational disruptions, IT costs, and more. For smaller organizations, data breaches have even resulted in bankruptcy.
Rhysida has been observed, according to CISA, as using external, remote-facing services to access networks. For example, the group may use a Virtual Private Network (VPN) to connect to the victim's networks. They have also used valid credentials and malware to access networks. Malware is commonly spread through malicious emails or internet links.