Excelsior Orthopaedics Data Breach Exposes Sensitive Information of Nearly 400,000 Patients

Illinois-based orthopaedic care provider Excelsior Orthopaedics said that the data security incident it suffered last year compromised the sensitive personal information of nearly 400,000 individuals.

 

Headquartered in Amherst, Illinois, the medical care practice offers a wide range of services, including orthopaedic surgery, sports medicine, physical therapy, occupational therapy, and imaging services. Apart from its New York clinic, Excelsior Orthopaedics operates Buffalo Surgery Centre and Northtowns Orthopaedics.

 

In a data security incident notice filed with the Office of Maine Attorney General,  Excelsior Orthopaedics said that on June 23, it identified unusual activity within its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Initial results of the ongoing investigation indicate that the incident may have resulted in the compromise of employee information stored on Excelsior servers. Compromised data may include information about employees of the Buffalo Surgery Centre, a related entity,” reads the notice.

 

The compromised data included names, addresses, dates of birth, Social Security Numbers, Driver’s License numbers, non-driver identification card numbers, and biometric information. In an initial filing with the Maine state regulator, Excelsior said that it has identified at least 357,000 individuals impacted by the incident.

 

However, in a recent filing, Excelsior said at least 394,752 individuals were impacted by the incident.

 

While Excelsior found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. It has also offered one year of complimentary identity protection and credit monitoring services through Cyberscout to all affected individuals.

 

 

In July, a hacker group calling itself the Monti ransomware group claimed responsibility for the cyber attack on Excelsior and listed it as a victim on its data leak site. The group claimed to be in possession of confidential data stolen from the healthcare provider and published the stolen data following a failed ransom negotiation on July 16.