Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach
Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.
Orthopaedic Institute of Western Kentucky
Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.
Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.
The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Supportive Home Health Care and Patriot Outpatient
Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.
On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.
On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.
Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.
