Acadia Healthcare Data Breach Exposes Patient Information in Social Engineering Attack
On March 25, 2026, Acadia Healthcare, a provider operating 277 behavioral health facilities across 40 states and Puerto Rico, detected unauthorized access to a user’s email and associated SharePoint account. An investigation revealed that a threat actor, leveraging social engineering tactics, accessed and exfiltrated sensitive files between March 21 and March 25. While Acadia’s core electronic health record systems remained uncompromised, the exposed data included patients’ names, addresses, dates of birth, treatment details, health insurance information, and Medicare Health Insurance Claim Numbers some of which contained Social Security numbers.
Notifications to affected individuals began on May 22, 2026. Legal teams, including those affiliated with ClassAction.org, are exploring potential class action litigation on behalf of impacted patients, citing risks such as identity theft, privacy violations, and financial harm. The incident underscores vulnerabilities in third-party and email-based systems within healthcare security.
Source: https://www.classaction.org/data-breach-lawsuits/acadia-healthcare-company-may-2026
Acadia Healthcare cybersecurity rating report: https://www.rankiteo.com/company/acadia-healthcare
"id": "ACA1780093769",
"linkid": "acadia-healthcare",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Behavioral Health',
'location': '40 states and Puerto Rico',
'name': 'Acadia Healthcare',
'size': '277 facilities',
'type': 'Healthcare Provider'}],
'attack_vector': 'Social Engineering',
'customer_advisories': 'Notifications to affected individuals began on May '
'22, 2026',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of Birth',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Health Information']},
'date_detected': '2026-03-25',
'date_publicly_disclosed': '2026-05-22',
'description': 'On March 25, 2026, Acadia Healthcare detected unauthorized '
'access to a user’s email and associated SharePoint account. '
'An investigation revealed that a threat actor, leveraging '
'social engineering tactics, accessed and exfiltrated '
'sensitive files between March 21 and March 25. The exposed '
'data included patients’ names, addresses, dates of birth, '
'treatment details, health insurance information, and Medicare '
'Health Insurance Claim Numbers, some of which contained '
'Social Security numbers. Notifications to affected '
'individuals began on May 22, 2026.',
'impact': {'brand_reputation_impact': 'Potential brand reputation damage due '
'to privacy violations and identity '
'theft risks',
'data_compromised': 'Patients’ names, addresses, dates of birth, '
'treatment details, health insurance '
'information, Medicare Health Insurance Claim '
'Numbers, Social Security numbers',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential class action litigation',
'systems_affected': 'Email and SharePoint account'},
'initial_access_broker': {'entry_point': 'Email and SharePoint account'},
'lessons_learned': 'Vulnerabilities in third-party and email-based systems '
'within healthcare security',
'post_incident_analysis': {'root_causes': 'Social engineering tactics leading '
'to unauthorized access'},
'references': [{'source': 'ClassAction.org'}],
'regulatory_compliance': {'legal_actions': 'Potential class action '
'litigation'},
'response': {'communication_strategy': 'Notifications to affected individuals '
'began on May 22, 2026'},
'title': 'Acadia Healthcare Data Breach Exposes Patient Information in Social '
'Engineering Attack',
'type': 'Data Breach',
'vulnerability_exploited': 'Email and SharePoint account access'}