Ransomware Attack Exposes Over 400K American Addiction Center Patients

American Addiction Centers, Inc. (AAC), a Brentwood, TN-based addiction rehabilitation organization, recently disclosed a cybersecurity breach affecting 410,747 current and former patients.  

Notification letters submitted to the Maine Attorney General revealed that stolen data included names, addresses, phone numbers, birth dates, medical record numbers, Social Security numbers, and health insurance details.  

However, no financial or treatment information was accessed. The breach also impacted patients from AAC’s affiliated providers, including AdCare (MA & RI), the Greenhouse (TX), and others nationwide, HIPAA Journal reports.

The breach was detected on September 26, 2024, with the forensic investigation confirming unauthorized access between September 23 and 24. During this time, threat actors exfiltrated sensitive data.  

AAC quickly contained the attack, engaged cybersecurity experts, and notified law enforcement. Despite existing safeguards, AAC has committed to strengthening its IT security measures further. Affected individuals were notified on December 23, 2024, and offered one year of complimentary credit monitoring services.  

The Rhysida ransomware group, notorious for targeting healthcare organizations, has claimed responsibility. Rhysida leaked 2.8 TB of stolen data after failing to secure a ransom.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Rhysida, a ransomware-as-a-service (RaaS) operation first identified in May 2023, rapidly gained prominence as a significant cybersecurity threat by early 2024.  

Known for employing advanced techniques to infiltrate networks and maintain persistence, Rhysida exploits vulnerabilities such as those in VPN systems and critical flaws like Zerologon (CVE-2020-1472) to achieve initial access.

The group follows a double-extortion strategy, combining data encryption with the exfiltration of sensitive information. Victims are threatened with public data leaks if ransom demands are not met.  

To support their operations, Rhysida maintains a leaks site and a victim support portal on the Tor network, facilitating negotiations and updates. High-profile attacks attributed to the group include incidents targeting the Chilean military and, more recently, Prospect Medical Holdings, an event that severely disrupted operations across hundreds of clinics and hospitals in the United States.

In February 2024, researchers released a decryptor for Rhysida’s ransomware, temporarily hindering their activities. However, the group quickly adapted, updating their tools and resuming attacks.  

Rhysida's platform is characterized by sophisticated capabilities designed to enhance operational efficiency and evade detection. Their tactics include bypassing antivirus systems, deleting Volume Shadow Copies (VSS) to prevent rollback of encrypted files, and modifying Remote Desktop Protocol (RDP) settings to maintain persistence.  

They leverage tools such as Cobalt Strike or similar command-and-control frameworks, PSExec for lateral movement, and PowerShell scripts to deliver ransomware payloads. Rhysida’s ransomware employs robust encryption, using AES-CTR for file encryption and a 4096-bit RSA key for managing encryption keys.  

Initially focusing on Windows environments, the group has expanded its operations to include a Linux variant targeting VMware ESXi servers. The group’s tactics, techniques, and procedures (TTPs) bear similarities to those of the Vice Society ransomware group, suggesting a potential connection or shared methodologies.

Rhysida operators present themselves as a "cybersecurity team" engaging in unauthorized "penetration testing" to ostensibly help victim organizations identify vulnerabilities and strengthen their defenses. They frame ransom payments as compensation for these unsolicited "services."

Following a period of reduced activity in early Q2 2024 after the public release of the decryptor, Rhysida reemerged in Q3 2024 with an updated encryptor. Despite their resurgence, the volume of their attacks remains modest compared to leading ransomware groups.  

Rhysida appears to operate opportunistically, tailoring ransom demands based on circumstances. Recent attacks have seen demands ranging from 15 Bitcoin (approximately $775,000) to 60 Bitcoin (around $3.7 million).

Notable victims include MarineMax, Lurie Children’s Hospital, Pierce College at Joint Base Lewis McChord, Ejercito de Chile, Axity, Ministry of Finance Kuwait, Prince George’s County Public Schools, Ayuntamiento de Arganda City Council, Comune di Ferrara, Prospect Medical Holdings, ant the Martinique Government.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.