Concord Orthopaedics data breach impacted over 65,000 patients

Orthopaedic care provider Concord Orthopaedics said it experienced a significant data security incident in November that compromised the sensitive personal information of more than 65,000 individuals.

 

Headquartered in Concord, New Hampshire, Concord Orthopaedics, locally known as COPA, specialises in comprehensive orthopaedic care, including surgical and non-surgical treatment of bones, joints, muscles, and related conditions.

 

In a data security incident notice filed with the Office of Attorney General of New Hampshire, COPA said that on November 21, it was notified by a third-party service provider that the software COPA uses to check-in patients and prospective patients for appointments was accessed by an unauthorised threat actor.

 

COPA immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. It also took steps to secure the affected systems, shut down all access to it and reset passwords for the compromised applications.

 

“Through this investigation, COPA determined that an unauthorised party accessed this third-party software and potentially viewed and/or acquired patient registration and appointment intake information stored there,,” the provider said. “The investigation found no evidence of compromise to COPA’s internal environment or its electronic health records system, which is hosted in a separate application.”

 

According to COPA, the compromised data includes names, dates of birth, Social Security numbers, appointment information (including appointment types, treating physician names, and dates and location of appointment), health insurance information (including health plan beneficiary numbers, health plan numbers, and insurance eligibility information), and driver’s license or state identification numbers.

 

COPA’s filing with the New Hampshire state regulator also revealed that it identified at least 67,835 individuals who were impacted by the incident.

 

COPA has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.  It has also offered one year of complimentary identity protection and credit monitoring services through Experian to all affected individuals.