Aya Healthcare reports data breach exposing personal information of healthcare workers
Learn More
Aya Healthcare, Inc., a healthcare staffing company based in San Diego, California, is reporting a data breach affecting thousands of individuals.
The security incident occurred on January 12, 2025, and was discovered by Aya Healthcare on January 29, 2025.
The breach resulted from what appears to be a credential stuffing attack. Unauthorized third parties attempted to use usernames and passwords obtained from unrelated sources or websites to gain access to user accounts on Aya's systems. A small number of these attempts were successful, which Aya believes resulted in an automated bot logging into their systems and viewing certain limited information. The potentially exposed information includes:
- Names
- Phone numbers
- Email addresses
- State nursing license numbers
- Home addresses
- Dates of birth
- Social Security numbers
- Vaccination status
The incident exposed the data of 3,187 individuals.
Aya Healthcare claims that that they have "no reason to believe that this information was viewed or downloaded by any person" and believes the information was only accessed by an automated bot agent. This makes no sense, since an automated agent will easily copy all the data and send it elsewhere.
Aya Healthcare is notifying affected individuals and is offering 24 months of complimentary credit monitoring and identity theft restoration services.
