Albany College Of Pharmacy And Health Sciences Data Breach Exposes SSNs

On September 14, 2024, Albany College of Pharmacy and Health Sciences (ACPHS) detected unusual activity on its network, leading to the discovery of a data breach. The incident, which is believed to have occurred between August 31, 2024 and September 14, 2024, involved unauthorized access to certain systems by a threat actor known as MEDUSA, a ransomware group.

According to dark web monitoring, MEDUSA claimed responsibility for the attack and threatened to publish the stolen data within days. The cybersecurity incident affected 28,600 individuals.

The data accessed includes a wide range of personally identifiable information (PII) such as first and last names, dates of birth, birth certificates, account numbers, routing numbers, security codes, marriage certificates, mother’s maiden names, digital signatures, passport numbers, government identification numbers, Social Security numbers, taxpayer ID numbers, driver’s license numbers, payment card numbers, payment card expiration dates, alien registration numbers, usernames and passwords, and student information.

In addition, protected health information (PHI) was also compromised, including health insurance details, medical record numbers, mental or physical condition information, diagnosis and treatment records, procedure types, provider names, prescription information, and biometric data.

ACPHS disclosed the data breach to the California, Maine, Texas, Massachusetts and Vermont Attorney Generals' offices beginning on June 16, 2025. There are 108 Maine residents, 592 Massachusetts residents and 394 Texas residents affected.

Albany College Of Pharmacy And Health Sciences' response

To support the community, ACPHS has set up a dedicated toll-free call center at 888-562-7067, available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time (excluding holidays), to answer questions and provide guidance.

Given the nature of the breach and the involvement of ransomware, it is especially important for affected individuals to take the following steps:

• Review financial and medical statements for unauthorized activity.
• Consider placing a fraud alert or security freeze with the major credit bureaus.
• Be cautious about sharing personal and health information.
• Contact the call center if you suspect your information has been misused or if you have questions about the incident.

For more detailed information, affected individuals can review the official Notice of Data Security Incident posted by ACPHS.