ACLA Data Breach Exposes Social Security Numbers & Medical Information

Anatomic and Clinical Laboratory Associates P.C., a physician-owned pathology group based in Nashville, Tennessee, disclosed a data breach involving unauthorized access to its computer network.

The breach was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on June 23, 2026, with 69 Massachusetts residents identified as affected. The company began mailing notification letters to affected individuals on June 23, 2026, and posted a notice on its website with details about the incident and resources for those who may have been impacted.

On Dec. 1, 2025, ACLA became aware of potential unauthorized activity in its computer network and launched an investigation where they learned that an unknown actor may have gained access to the network and downloaded certain files without authorization.

ACLA conducted a comprehensive review of the potentially affected files to determine what information was involved and which individuals may have been impacted. That review concluded on April 27, 2026, nearly five months after the breach was first discovered.

The breach involved both personally identifiable information and protected health information. The personally identifiable information included names, dates of birth, Social Security numbers and taxpayer identification numbers.

The protected health information included medical dates of service, medical provider names, mental or physical condition information, medical treatment and procedure information, diagnosis or clinical information, medical history, patient account numbers and medical record numbers.

ACLA's response

On June 23, 2026, ACLA mailed notification letters to potentially affected individuals for whom it had identifiable address information. Each letter contained details about the incident, a personalized activation code for identity protection services and guidance on steps individuals could take to help protect their information.

Given the sensitive nature of the information involved, the company is offering complimentary credit monitoring and identity theft protection services through Epiq, a data breach and recovery services provider. According to the notification letter, these services include credit monitoring with alerts, dark web monitoring, credit protection, change of address monitoring, identity restoration and lost wallet assistance. The deadline to enroll in these services is Sept. 30, 2026.

Affected individuals can enroll by visiting privacysolutionsid.com and entering the activation code from their notification letter. Enrollment assistance is available by calling 866-675-2006, Monday through Friday from 9 a.m. to 5:30 p.m. Eastern Time, excluding major U.S. holidays.

ACLA has also set up a separate phone line for questions about the incident at 866-659-7137, where Epiq representatives are available Monday through Friday from 9 a.m. to 9 p.m. Eastern Time. According to the notification letter, this line will remain available for 90 days from the date of each individual's letter.

Individuals who did not receive a notification letter but believe they may have been affected can contact the call center at 866-675-2006 to verify their eligibility for the complimentary identity protection services.