Albany College Of Pharmacy And Health Sciences Data Breach Exposes SSNs

Published

April 16, 2025

Updated

July 31, 2025

Albany College of Pharmacy

Types of INFORMATION affected

Names
Social Security Numbers
Dates of Birth
Addresses
Government IDs
Medical Info
Financial Info

On September 14, 2024, Albany College of Pharmacy and Health Sciences (ACPHS) detected unusual activity on its network, leading to the discovery of a data breach. The incident, which is believed to have occurred between August 31, 2024 and September 14, 2024, involved unauthorized access to certain systems by a threat actor known as MEDUSA, a ransomware group.

According to dark web monitoring, MEDUSA claimed responsibility for the attack and threatened to publish the stolen data within days. The cybersecurity incident affected 28,600 individuals.

The data accessed includes a wide range of personally identifiable information (PII) such as first and last names, dates of birth, birth certificates, account numbers, routing numbers, security codes, marriage certificates, mother’s maiden names, digital signatures, passport numbers, government identification numbers, Social Security numbers, taxpayer ID numbers, driver’s license numbers, payment card numbers, payment card expiration dates, alien registration numbers, usernames and passwords, and student information.

In addition, protected health information (PHI) was also compromised, including health insurance details, medical record numbers, mental or physical condition information, diagnosis and treatment records, procedure types, provider names, prescription information, and biometric data.

ACPHS disclosed the data breach to the California, Maine, Texas, Massachusetts and Vermont Attorney Generals' offices beginning on June 16, 2025. There are 108 Maine residents, 592 Massachusetts residents and 394 Texas residents affected.

Albany College Of Pharmacy And Health Sciences' response

To support the community, ACPHS has set up a dedicated toll-free call center at 888-562-7067, available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time (excluding holidays), to answer questions and provide guidance.

Given the nature of the breach and the involvement of ransomware, it is especially important for affected individuals to take the following steps:

Review financial and medical statements for unauthorized activity.
Consider placing a fraud alert or security freeze with the major credit bureaus.
Be cautious about sharing personal and health information.
Contact the call center if you suspect your information has been misused or if you have questions about the incident.

For more detailed information, affected individuals can review the official Notice of Data Security Incident posted by ACPHS.

Protect Your Data

A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.

This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.