Cyber Incident Victim: American Osteopathic Association

On June 25, 2020, the American Osteopathic Association (AOA), a Chicago-based non-profit representing approximately 151,000 osteopathic physicians and medical students, detected suspicious activity on its systems. This prompted immediate containment measures, including network shutdown, followed by engagement of computer forensic specialists to investigate the security incident. The forensic analysis confirmed unauthorized actors had breached systems containing personally identifiable information and successfully exfiltrated data. Subsequent review determined the compromised information included names, addresses, dates of birth, Social Security numbers, financial account details, email addresses, usernames, and passwords. The AOA completed its assessment of impacted individuals by June 1, 2021, identifying 27,485 affected persons across the United States, including 209 residents of Maine.

Notification letters began mailing in October 2021, nearly sixteen months after initial detection, with the AOA attributing delays to operational challenges caused by the COVID-19 pandemic. The organization cited staff working conditions and physical access limitations as primary factors hindering timely identification of affected parties. Impacted individuals were offered one year of complimentary credit monitoring services. In its breach report filed with Maine’s attorney general on October 13, 2021, the AOA stated it had no evidence of actual or attempted malicious use of the stolen data. The incident exposed sensitive personal and financial information but did not disrupt the organization’s broader operational capacity to serve its membership base.