25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

340,000 Individuals Affected by Security Breach at St Clair Orthopaedics & Sports Medicine

Posted By on Apr 23, 2025

Data breaches have recently been announced by St Clair Orthopaedics & Sports Medicine in Michigan and Rheumatology Associates of Baltimore in Maryland.

St Clair Orthopaedics & Sports Medicine

During a recent check of the HHS’ Office for Civil Rights breach portal, a data breach was identified that had not been reported by The HIPAA Journal. St Clair Orthopaedics & Sports Medicine (SCOSM) in St. Clair Shores, Michigan, reported a breach to OCR on January 30, 2025, that involved the protected health information of 340,000 individuals.

Suspicious activity was identified within the SCOSM network on November 24, 2024. An investigation was launched to determine the nature and scope of any unauthorized network access, with assistance provided by third-party cybersecurity experts. On December 9, 2024, SCOSM learned that unauthorized individuals had gained access to parts of its network that contained patient data, and once the investigation was completed on December 20, 2024, a comprehensive review was conducted to determine the patients affected and the types of data involved.

The file review was completed on January 29, 2025, and notification letters have been mailed to the affected individuals. The data exposed in the incident varied from individual to individual and may have included information such as names, addresses, phone numbers, email addresses, and dates of birth in combination with one or more of the following:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Health insurance information: health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare government payor ID numbers
  • Health Information: medical record numbers, doctors, diagnoses, medications, test results, images, and care and treatment information
  • Billing, insurance claims, and payment data: claim numbers, account numbers, billing codes, and balances
  • Other personal data: Social Security numbers, driver’s license/state ID numbers, and other ID numbers

SCOSM said additional security measures have been implemented to prevent similar incidents in the future.

Rheumatology Associates of Baltimore

Rheumatology Associates of Baltimore (RAB) in Maryland has recently disclosed a security incident involving the protected health information of 28,968 patients. The breach occurred at one of its business associates, Endue Software. Endue Software notified RAB about the breach on April 11, 2025, which may have involved unauthorized access to RAB data stored on its systems. Endue Software first identified unauthorized network access on February 17, 2025, with the subsequent forensic investigation confirming access to its network by an unauthorized third party for a short period of time on February 16, 2025. While the window of opportunity was short, the threat actor copied data from Endue’s systems. The file review confirmed that the stolen data included names, addresses, Social Security numbers, birth dates, and medical record numbers. RAB posted a substitute breach notice on its website to warn the affected patients; however, Endue will be mailing the breach notification letters.

Endue Software has reported the breach to the HHS’ Office for Civil Rights on behalf of other affected clients. The breach report states that 118,028 individuals were affected.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist