Couples Learn

On March 10, 2025, the California Attorney General disclosed a data breach affecting Couples Learn, stemming from unauthorized access to its Acuity Scheduling online account. The breach occurred due to a compromised staff password, allowing attackers to potentially expose client names, email addresses, phone numbers, and appointment types. While no clinical records were accessed and there is no evidence of data misuse, the incident highlights vulnerabilities in credential security and third-party platform risks. The exposed information, though non-sensitive in nature, could still be exploited for targeted phishing, spam, or social engineering attacks. The breach underscores the importance of robust authentication measures, employee cybersecurity training, and monitoring of third-party service providers to prevent credential-based intrusions. No financial, health, or highly sensitive data was compromised, mitigating the severity but still raising concerns over client privacy and trust.

Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-602225

TPRM report: https://www.rankiteo.com/company/alejandro-daniel-pina-lmft-feel-understood

"id": "ale1057090725",
"linkid": "alejandro-daniel-pina-lmft-feel-understood",
"type": "Breach",
"date": "3/2025",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Healthcare (Mental Health Services)',
                        'location': 'California, USA',
                        'name': 'Couples Learn',
                        'type': 'Organization (Therapy/Counseling Service)'}],
 'attack_vector': 'Compromised Credentials (Hacked Staff Password)',
 'data_breach': {'data_exfiltration': 'Potential (No Evidence of Misuse)',
                 'personally_identifiable_information': ['Names',
                                                         'Email Addresses',
                                                         'Phone Numbers'],
                 'sensitivity_of_data': 'Low to Moderate (No Clinical Records)',
                 'type_of_data_compromised': ['Personal Information (PII)']},
 'date_publicly_disclosed': '2025-03-10',
 'description': 'The California Attorney General reported a data breach '
                'involving Couples Learn on March 10, 2025. The breach was due '
                'to unauthorized access to the Acuity Scheduling online '
                'account through a hacked staff password, potentially exposing '
                'names, email addresses, phone numbers, and appointment types '
                'of clients. No clinical records were accessed, and there is '
                'no evidence of misuse of client data.',
 'impact': {'brand_reputation_impact': 'Potential (No Evidence of Misuse)',
            'data_compromised': ['Names',
                                 'Email Addresses',
                                 'Phone Numbers',
                                 'Appointment Types'],
            'identity_theft_risk': 'Low (No Clinical Records or Sensitive Data '
                                   'Exposed)',
            'systems_affected': ['Acuity Scheduling Online Account']},
 'investigation_status': 'Ongoing (No Evidence of Data Misuse)',
 'post_incident_analysis': {'root_causes': ['Compromised Staff Password (Weak '
                                            'or Stolen Credentials)']},
 'references': [{'date_accessed': '2025-03-10',
                 'source': 'California Attorney General Report'}],
 'regulatory_compliance': {'regulatory_notifications': ['California Attorney '
                                                        'General']},
 'response': {'law_enforcement_notified': 'Yes (Reported to California '
                                          'Attorney General)'},
 'title': 'Data Breach at Couples Learn via Acuity Scheduling Account '
          'Compromise',
 'type': 'Data Breach (Unauthorized Access)',
 'vulnerability_exploited': 'Weak or Stolen Password'}