Data Breach Reported by Orthopedic Implant Manufacturer TriMed
TriMed, a Santa Clarita, California-based manufacturer of upper and lower orthopedic implants, has announced a data security incident involving unauthorized access to parts of its network where order forms and invoices were stored. While in the most part the exposed data only contained information related to the company’s hardware and the individuals who received it, in some cases, the documentation included personal information.
TriMed identified suspicious activity without certain systems in September 2025, prompting an investigation to determine the nature and scope of the activity. The forensic investigation determined that an unauthorized third party had access to parts of its environment between September 13, 2025, and September 21, 2025, during which time, files were potentially accessed and acquired by the unauthorized third party.
TriMed manufactures hardware that is surgically implanted to repair or replace damaged joints. A programmatic and manual review of the exposed files confirmed that they contained information related to that hardware, which would have been ordered on a patient’s behalf, including part type, associated installation components such as screws, or the ordering surgeon’s name. While the affected documents do not typically include personal information, in certain cases, the documents contained names, dates of birth, and medical record numbers. The exposed documents did not contain Social Security numbers or financial information such as bank account or credit/debit card numbers.
TriMed has taken steps to augment security to prevent similar incidents in the future, including strengthening its existing security controls and threat detection practices. Further, TriMed has integrated a global security operations center and will continue to update its security measures, as appropriate, in the future. TriMed reported the incident to law enforcement, but there was no request to delay notifications to the affected individuals. The notification letters were sent as soon as possible once the affected individuals and data categories were identified. While Social Security numbers were not involved, credit monitoring and identity theft protection services have been offered for 24 months, according to the notification letter sent to the Maine Attorney General.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Maine Attorney General was informed that two Maine residents were affected, but the data breach listing does not state how many individuals were affected in total, and the incident has yet to be added to the HHS’ Office for Civil Rights website. No known threat group appears to have claimed responsibility for the attack.
