Acadia Healthcare Company, Inc. (“Acadia”) experienced a data security incident that involved patient information. This notice explains the incident, measures that have been taken, and some steps patients can take in response.
On March 25, 2026, unusual activity was detected in a user’s email account. The email account was secured, and an investigation was launched with the assistance of a third-party forensic investigation firm. Through our investigation, we determined that an unauthorized party gained access to one email account and an associated SharePoint account through social engineering. Between March 21, 2026 and March 25, 2026, the unauthorized party accessed and acquired certain emails and SharePoint files. The investigation confirmed that this incident was limited to the one email account and associated SharePoint account and did not involve our electronic health record systems. Importantly, this incident did not disrupt our operations or our ability to care for patients.
A review was initiated to determine the contents of those emails and files involved in the incident. Through this ongoing review, files containing patient information have been identified, including names, addresses, dates of birth, treatment information, dates of treatment, type of treatment, and health insurance information. For some individuals, the files also contained their Medicare Health Insurance Claim Number (HICN), which may include their Social Security number.
Beginning on May 22, 2026, notification is being provided to patients whose information was involved in the incident. A dedicated, toll-free incident response line has been established to answer any questions you may have about the incident. If you have any questions, please call 888.500.5708, Monday–Friday, 9:00 am – 9:00 pm Eastern Time, excluding major U.S. holidays.
For patients whose information was involved, we recommend that you review any statements you receive from your healthcare providers and health insurance plans. If you see any services that were not received, please contact the provider or health plan immediately.
We are committed to protecting the confidentiality and security of the information we maintain. We regret any inconvenience or concern this incident may cause and take this matter seriously.
To help prevent something like this from happening again, we have implemented, and will continue to adopt, additional safeguards and technical security measures to further protect and monitor our systems.
