American Associated Pharmacies Data Breach Exposes Social Security Numbers

The AAP began notifying impacted individuals on Nov. 12, 2025. The data breach was disclosed to the Washington, Maine, California, New Hampshire, Montana, and Vermont Attorney Generals' offices between Nov. 17, 2025 and Nov. 13, 2025. The cyberattack affected at least 8,042 individuals.

American Associated Pharmacies (AAP), a member-owned cooperative in the pharmaceutical industry, recently disclosed a cybersecurity incident that may have exposed sensitive personal information. The breach occurred on October 23, 2024, when AAP detected suspicious activity within its systems, consistent with a cyberattack.

The company immediately launched an investigation and worked with cybersecurity experts to contain and remediate the situation. AAP also published a Notice of Data Incident on its website.

While the exact number of individuals affected has not been disclosed, the potentially compromised information includes names, addresses, dates of birth. Social Security numbers, passport numbers, driver's license or state ID numbers, financial account number including routing numbers, clinical or treatment information, medical information, medical provider names, medical record numbers, health insurance information, health insurance carriers, health insurance member IDs and group numbers, prescription information and usernames and passwords.

The breach was reported to the state attorney general office in Massachusetts, where the disclosure was made on December 27, 2024. At this time, there is no evidence that the stolen data has been used for identity theft or fraud. However, the sensitive nature of the exposed information poses significant risks to affected individuals.

AAP's response

AAP has taken several steps to address the breach and protect the information in its care. Upon discovering the incident, the company immediately shut down its systems to prevent further unauthorized access. It also implemented enhanced security measures, such as expanding the use of multifactor authentication, resetting all passwords, and deploying additional monitoring tools to detect future threats.

To assist affected individuals, AAP is offering 24 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks. The company has also reported the incident to relevant government agencies and continues to work with privacy and security experts to strengthen its systems.

Affected by the AAP data breach?

If you believe your information may have been impacted by this data breach, it is essential to take proactive steps to protect yourself. Here’s what you should do:

1. Enroll in credit monitoring services: AAP is offering complimentary credit monitoring for 24 months through Experian IdentityWorks. To enroll, visit Experian IdentityWorks and use the activation code provided in your notice letter. Be sure to complete enrollment by March 31, 2025.
2. Monitor your financial accounts: Regularly review your bank statements, credit card transactions, and health insurance claims for any unauthorized activity.
3. Request your free credit reports: You can obtain a free credit report annually from each of the three major credit bureaus by visiting AnnualCreditReport.com or calling 1-877-322-8228. Massachusetts residents may be eligible for additional free credit reports.
4. Place a fraud alert or security freeze: Consider placing a fraud alert on your credit file by contacting one of the three major credit bureaus: Equifax, Experian, or TransUnion. You can also request a security freeze to prevent new accounts from being opened in your name without your authorization.
5. Remain vigilant: Even if there is no immediate evidence of fraud, it’s important to stay alert. Report any suspicious activity to your financial institutions and law enforcement.
6. Contact Experian for assistance: If you need help enrolling in the credit monitoring service or have questions, Experian’s customer care team is available at 833-918-5744, Monday through Friday, 8 a.m. to 8 p.m. Central Time.