Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies
Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.
Sun Valley Surgery Center
Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.
Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. According to the HHS’ Office for Civil Rights breach portal, 27,001 individuals were potentially affected.
American Associated Pharmacies
One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.
Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.
