What Happened in the ACLA Data Breach?
Anatomic and Clinical Laboratory Associates P.C. (ACLA), a physician-owned pathology group based in Nashville, Tennessee, has confirmed a data breach involving its computer network. The ACLA data breach exposed sensitive personal and medical information belonging to patients. This incident began when the company detected unusual activity within its systems late last year.
According to the company, ACLA became aware of potential unauthorized activity on Dec. 1, 2025. As a result, the company launched an internal investigation to determine the scope of the intrusion. That investigation revealed that an unknown actor may have gained access to the network and downloaded certain files without authorization.
Because the exposed files contained highly sensitive data, ACLA conducted a detailed review of every potentially affected document. This process took considerable time due to the complexity of the records involved. The review did not conclude until April 27, 2026, nearly five months after the initial discovery. Once the review was complete, ACLA moved forward with notifying affected individuals and regulators.
Who was affected?
The ACLA data breach affects patients whose personal and medical information was stored on the company’s network. So far, the breach has impacted at least 69 Massachusetts residents and 21 New Hampshire residents, based on notifications filed with state regulators. However, the total number of individuals affected nationwide has not been publicly disclosed.
Because ACLA operates as a pathology laboratory, the affected individuals are likely patients whose specimens or medical records passed through the company’s systems. This means the breach could extend beyond the two states currently reporting numbers. In addition, patients of any age could be included, since laboratory testing often involves individuals across a wide range of demographics.
What Information Was Potentially Exposed?
The ACLA data breach exposed a combination of personally identifiable information and protected health information. This mix of data types makes the incident particularly concerning for affected individuals. The specific categories of exposed information include the following.
- Full names
- Dates of birth
- Social Security numbers
- Taxpayer identification numbers
- Medical dates of service
- Medical provider names
- Mental or physical condition information
- Medical treatment and procedure information
- Diagnosis or clinical information
- Medical history
- Patient account numbers
- Medical record numbers
Because Social Security numbers and taxpayer identification numbers were involved, affected individuals face a real risk of identity theft and financial fraud. Criminals can use this data to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. This type of fraud can take months to detect and even longer to resolve.
In addition, the exposure of medical information creates a separate and equally serious risk. Diagnosis details, treatment history, and provider names could be used for medical identity theft. For example, a criminal could use stolen medical identifiers to obtain healthcare services or prescription drugs fraudulently, which could corrupt a victim’s medical records in the process.
What is the company doing?
Once ACLA confirmed the scope of the breach, the company began mailing notification letters to affected individuals on June 23, 2026. Each letter included details about the incident, a personalized activation code for identity protection services, and guidance on protective steps. ACLA also posted a substitute notice on its website for individuals who may not have received a mailed letter.
Given the sensitive nature of the exposed information, ACLA is offering complimentary credit monitoring and identity theft protection services through Epiq, a data breach recovery services provider. These services include credit monitoring with alerts, dark web monitoring, credit protection, change of address monitoring, identity restoration, and lost wallet assistance. Affected individuals must enroll by Sept. 30, 2026 to receive these protections at no cost.
Furthermore, ACLA has set up two dedicated phone lines to assist affected individuals. One line handles enrollment assistance for the identity protection services, while a separate line addresses general questions about the incident. This second line will remain available for 90 days from the date of each individual’s notification letter, giving people time to ask questions and understand their options.
What Should Affected Individuals Do?
Enroll in the Free Credit Monitoring Services
Anyone who received a notification letter from ACLA should enroll in the complimentary credit monitoring and identity theft protection services as soon as possible. These services can help detect suspicious activity before it causes significant financial harm. Enrollment requires visiting privacysolutionsid.com and entering the activation code included in the letter.
Because the enrollment deadline is Sept. 30, 2026, affected individuals should not delay this step. If you believe you were affected but did not receive a letter, you can call the enrollment assistance line to verify your eligibility. Acting quickly gives these protective services more time to catch fraudulent activity early.
Monitor Your Credit Reports Closely
In addition to the offered monitoring services, affected individuals should regularly check their own credit reports for unfamiliar activity. You can request free credit reports from each of the three major credit bureaus once a year. Reviewing these reports helps you spot new accounts or inquiries you did not authorize.
If you notice anything suspicious, report it immediately to the credit bureau and consider disputing the entry. This proactive approach works alongside the credit monitoring service ACLA is providing. Together, these steps offer a stronger layer of protection against long-term financial damage.
Consider a Fraud Alert or Credit Freeze
Because Social Security numbers were exposed in this breach, affected individuals should strongly consider placing a fraud alert or credit freeze on their credit files. A fraud alert warns lenders to verify your identity before opening new credit in your name. A credit freeze goes further by restricting access to your credit file entirely.
Placing either protection is free and can be done directly through the credit bureaus. While a credit freeze offers stronger protection, it also requires you to lift it temporarily when applying for new credit. Choosing the right option depends on your personal risk tolerance and financial habits.
Protect Yourself Against Medical Identity Theft
Since protected health information was also exposed, affected individuals should watch for signs of medical identity theft. This includes unfamiliar charges on medical bills, unexpected collection notices, or unrecognized entries in your medical records. Reviewing statements from healthcare providers and insurers regularly can help catch these issues early.
If you spot anything unusual, contact your healthcare provider or insurer right away to dispute the charges. You may also request a copy of your medical records to check for inaccuracies caused by fraudulent use. Addressing these issues quickly can prevent lasting damage to both your finances and your medical history.
Stay Alert for Phishing Attempts
Following a breach like this, scammers often try to exploit the situation through phishing emails, texts, or phone calls. These messages may impersonate ACLA, Epiq, or even credit bureaus in an attempt to steal additional information. Because of this, affected individuals should remain cautious about unsolicited communications referencing the breach.
Never click on links or provide personal information in response to unexpected messages. Instead, verify any communication by contacting the company directly using official phone numbers or websites. If you suspect you have been targeted by a phishing scam, consider reporting it and consulting a data breach attorney to discuss your legal options.
More Information
Anatomic and Clinical Laboratory Associates P.C.
