408,000 Individuals Affected by Cyberattacks on NY & WY Orthpaedics Specialists
More than 408,000 individuals have been affected by data breaches at two orthopaedic healthcare providers: Excelsior Orthopaedics in New York (394,752 records) and Teton Orthopaedics in Wyoming (13,409 records).
Excelsior Orthopaedics, New York
The orthopaedics and sports medicine specialists, Excelsior Orthopaedics, in Amherst, New York, have recently confirmed a major data breach involving the protected health information of up to 394,752 individuals.
On June 23, 2024, unusual activity was identified within its IT systems. An investigation was launched to determine the cause of the activity, which revealed an unauthorized third party had accessed certain systems and viewed or copied the data of current and former patients and employees of Excelsior Orthopaedics and related entities, including Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center in Amherst, the latter has submitted a report to the HHS Office for Civil Rights indicating 64,000 of its patients were affected.
Third-party data mining experts were engaged to determine the individuals affected and the types of information involved, and based on the initial findings, in August 2024, the HHS’ Office for Civil Rights was notified about the attack, and notification letters were sent to a small number of individuals whose data was confirmed as being involved. The data mining process was not completed until December 2024, and a second wave of breach notification letters was mailed on December 31, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The types of data compromised in the incident include demographic information, driver’s license numbers, medical information, health insurance information, financial information, and, for a limited number of individuals, Social Security numbers. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Excelsior said it is committed to ensuring the privacy and security of personal information and has taken several steps to improve security, including deploying new security tools, redesigning key systems and business processes, and implementing enhanced system alerts to reduce response times. Security awareness training for employees and business partners has also been enhanced to improve education on cybersecurity threats.
The breach was initially thought to affect up to 357,000 patients; however, the total has now been increased to 394,752 individuals.
Teton Orthopaedics, Wyoming
Teton Orthopaedics, a Jackson, WY-based Orthopaedic care provider, has recently notified 13,409 individuals that some of their personal and protected health information was compromised in a March 2024 ransomware attack. The incident was detected on or around March 25, 2024, when files on its network were encrypted. The forensic investigation determined that the ransomware group had access to its network from January 16, 2024, to March 25, 2024. A data mining vendor was engaged to determine the types of information involved, which took several months to complete. Teton Orthopaedics then obtained up-to-date contact information to allow notifications to be mailed.
For the majority of affected individuals, the breached information included names, addresses, dates of birth, health insurance information, and/or medical information. A subset of individuals may also have had their driver’s license/Government ID numbers, Social Security numbers, financial account information, passport information, and/or payment card information compromised. Notification letters were mailed to the affected individuals on December 13, 2024. Teton Orthopaedics said it has taken steps to strengthen its security posture, including implementing multifactor authentication, strengthening password requirements, and updating its physical hardware.
