On July 31, 2025, the American Association of Critical-Care Nurses (AACN) discovered a data breach in its website’s payment system, exposing personally identifiable information (PII) of 57,526 individuals in the U.S., including 186 Maine residents. The breach, active from March 8, 2025, to July 31, 2025, involved unauthorized access to payment card details (card number, expiration date, CVV), along with names, contact information, shipping/billing addresses, phone numbers, and email addresses.The incident was disclosed to the Maine Attorney General on August 29, 2025, with affected individuals notified the same day. While the exact method of compromise remains undisclosed, the breach poses significant risks of financial fraud and identity theft. AACN responded by offering two years of free credit and identity monitoring (via IDX) and advised victims to monitor financial statements for suspicious activity.The breach’s severity stems from the direct exposure of sensitive payment data, potentially enabling large-scale fraud. Though no ransomware was involved, the leak of customer financial and personal details underscores a critical failure in payment system security, necessitating heightened vigilance among affected parties.
Source: https://www.claimdepot.com/data-breach/aacn-2025
TPRM report: https://www.rankiteo.com/company/aacn
"id": "aac906090225",
"linkid": "aacn",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '57,526 (186 in Maine)',
'industry': 'healthcare (nursing)',
'location': 'United States',
'name': 'American Association of Critical-Care Nurses '
'(AACN)',
'type': 'non-profit professional association'}],
'customer_advisories': ['Written notification sent to affected individuals '
'(2025-08-29)',
'Public advisory to review statements and enroll in '
'monitoring services'],
'data_breach': {'data_exfiltration': 'likely (accessed by unauthorized party)',
'number_of_records_exposed': '57,526',
'personally_identifiable_information': ['name',
'contact information',
'shipping address',
'billing address',
'phone number',
'email address',
'payment card number',
'expiration date',
'CVV'],
'sensitivity_of_data': 'high (includes payment card details '
'and PII)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'payment card data']},
'date_detected': '2025-07-31',
'date_publicly_disclosed': '2025-08-29',
'description': 'On July 31, 2025, the American Association of Critical-Care '
'Nurses (AACN) discovered a data breach affecting its '
'website’s payment system. An unauthorized party accessed '
'payment card information associated with transactions on the '
'AACN website between March 8, 2025, and July 31, 2025. The '
'breach exposed PII, including payment card details (card '
'number, expiration date, CVV), names, contact information, '
'shipping/billing addresses, phone numbers, and email '
'addresses. A total of 57,526 individuals in the U.S. were '
'affected, with 186 in Maine. AACN is offering two years of '
'complimentary credit and identity monitoring services through '
'IDX to impacted individuals.',
'impact': {'brand_reputation_impact': 'high (potential risk of financial '
'fraud and identity theft for 57,526 '
'individuals)',
'data_compromised': ['payment card information (card number, '
'expiration date, CVV)',
'name',
'contact information',
'shipping address',
'billing address',
'phone number',
'email address'],
'identity_theft_risk': 'high',
'payment_information_risk': 'high',
'systems_affected': ['payment system']},
'initial_access_broker': {'high_value_targets': ['payment card data', 'PII']},
'investigation_status': 'ongoing (specific method of attack not detailed)',
'recommendations': ['Enroll in complimentary credit and identity monitoring '
'services by Nov. 29, 2025',
'Review payment card and bank statements for suspicious '
'activity',
'Report unauthorized transactions to financial '
'institutions promptly'],
'references': [{'source': 'Maine Attorney General Office'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Attorney '
'General (filed '
'2025-08-29)']},
'response': {'communication_strategy': ['written notification to affected '
'individuals (sent 2025-08-29)',
'public disclosure via Maine Attorney '
'General filing'],
'incident_response_plan_activated': 'yes (notification and '
'credit monitoring offered)',
'recovery_measures': ['complimentary credit and identity '
'monitoring for 2 years'],
'third_party_assistance': ['IDX (credit and identity monitoring '
'services)']},
'threat_actor': 'unauthorized party',
'title': 'Data Breach at American Association of Critical-Care Nurses (AACN) '
'Payment System',
'type': ['data breach', 'payment system compromise']}