Settlement Agreed to Resolve Class Action Data Breach Litigation Against Concord Orthopaedics
Concord Orthopaedics Professional Association, a New Hampshire-based provider of comprehensive orthopedic and rheumatology care, has settled a consolidated class action lawsuit stemming from a November 2024 cybersecurity incident involving unauthorized access to the personal and protected health information of 72,815 individuals.
Concord Orthopaedics detected an intrusion on November 21, 2024. Hackers had gained access to its computer network, where names, dates of birth, Social Security numbers, appointment information, health insurance information, and driver’s license/state identification numbers were stored. The affected individuals started to be notified about the incident on March 25, 2025.
The first class action lawsuit was filed by plaintiff Kattie Montambeault on April 1, 2025, in the Merrimack County Superior Court for the State of New Hampshire. A further four class action complaints were filed in response to the data breach, which were consolidated into a single action – Montambeault, et al. v. Concord Orthopaedics Professional Association – in the Superior Court of Hillsborough County, New Hampshire. The consolidated class action complaint names 12 individuals as class representatives.
The lawsuit alleged that Concord Orthopaedics failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data stored on its network, and that, as a result of that failure, the plaintiffs’ and class members’ personal and protected health information was accessed by hackers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Concord Orthopaedics agreed to a settlement to resolve all claims asserted in the lawsuit with no admission of wrongdoing, fault, or liability. Class counsel and the class representatives believe that the settlement is fair, and the settlement has received preliminary approval from the court. The settlement provides multiple benefits for the class members. All class members are entitled to a one-year membership to a medical data monitoring service, and may also submit a claim for the following benefits:
- Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member
- Reimbursement of lost time of up to 4 hours at $25 per hour (maximum of $100)
In addition to or instead of a claim for reimbursement of out-of-pocket losses, class members may submit a claim for a one-time cash payment, which is estimated to be $50, but may be higher or lower depending on the number of valid claims received. Individuals submitting a claim for reimbursement of lost time are not eligible to claim the one-time cash payment.
The deadline for objection to the settlement and exclusion is May 26, 2026. The deadline for submitting a claim is July 8, 2026, and the final fairness hearing has been scheduled for June 23, 2026
