Acadia Healthcare Company, Inc. (Acadia) experienced a data security incident that involved patient information.
On March 25, 2026, unusual activity was detected in a user’s email account. The email account was secured, and an investigation was launched with the assistance of a third-party forensic investigation firm. Through its investigation, Acadia determined that an unauthorized party gained access to one email account and an associated SharePoint account through social engineering. Between March 21, 2026, and March 25, 2026, the unauthorized party accessed and acquired certain emails and SharePoint files. The investigation confirmed that this incident was limited to the one email account and associated SharePoint account and did not involve Acadia’s electronic health record systems. This incident did not disrupt its operations or its ability to care for patients.
A review was initiated to determine the contents of those emails and files involved in the incident. Through this ongoing review, files containing patient information have been identified, including names, addresses, dates of birth, treatment information, dates of treatment, type of treatment and health insurance information. For some individuals, the files also contained their Medicare Health Insurance Claim Number (HICN), which may include their Social Security number.
To help prevent something like this from happening again, Acadia has implemented and will continue to adopt additional safeguards and technical security measures to further protect and monitor its systems.
Site Selection Mistakes: What Not To Do
High-Performance EFCO Systems Shape MUSC's New Black River Medical Center
Heritage Valley Health System to Officially Affiliate with Alleghany Health Network
The Impact of Acoustics on Patient Privacy
Texas Behavioral Health Center in Dallas Opens with Ribon-Cutting Ceremony