American Association of Colleges of Osteopathic Medicine Data Breach Affects 67,804 People

On March 31, 2025, the American Association of Colleges of Osteopathic Medicine (AACOM) discovered a data breach that occurred on September 26, 2024. The breach exposed sensitive personally identifiable information (PII) of approximately 67,804 individuals across the United States. Specifically, the compromised data included names and Social Security numbers. At this time, no protected health information (PHI) or other types of information have been reported as exposed.

AACOM has not yet publicly identified the specific method or responsible party behind the breach. However, the exposure of Social Security numbers and names indicates a significant risk of identity theft and fraud for those affected. Due to the sensitive nature of the information involved, individuals impacted by this breach should take immediate steps to protect themselves against potential identity theft.

The organization has disclosed the breach to several state attorney general offices, including the California Attorney General's Office on April 9, 2025, the Maine Attorney General's Office on April 10, 2025, and the Montana Attorney General's Office on April 8, 2025.

In the state of Maine, 428 individuals were affected by the breach, while in Montana, 274 individuals were impacted. AACOM began notifying affected consumers electronically on April 8, 2025.

AACOM's official breach notification letters can be viewed on the websites of the respective state attorney general offices:

• California Attorney General
• Iowa Attorney General
• Maine Attorney General
• Montana Attorney General
• New Hampshire Attorney General
• Texas Attorney General
• Washington Attorney General

In response to discovering the breach, AACOM promptly initiated an investigation to determine the scope and nature of the incident. The organization also notified relevant state authorities and began informing impacted individuals directly via electronic communication.

Given the sensitive nature of the exposed information—particularly Social Security numbers—individuals affected by this breach should consider the following steps:

• Closely monitor financial accounts and credit reports for suspicious activity or unauthorized transactions.
• Consider placing a fraud alert or credit freeze on credit files with the three major credit bureaus (Equifax, Experian, and TransUnion).
• Report any suspicious activity immediately to financial institutions and local law enforcement.
• Take advantage of any identity theft protection or credit monitoring services offered by AACOM, if provided.