Excelsior Orthopaedics says data breach compromised the data of 357,000 patients

New York-based orthopaedic care provider Excelsior Orthopaedics said that the data security incident it suffered last year compromised the sensitive personal information of 357,000 individuals.

 

Headquartered in Amherst, New York, the medical care practice offers a wide range of services, including orthopaedic surgery, sports medicine, physical therapy, occupational therapy, and imaging services. Apart from its New York clinic, Excelsior Orthopaedics operates Buffalo Surgery Centre and Northtowns Orthopaedics.

 

In a data security incident notice filed with the Office of Maine Attorney General,  Excelsior Orthopaedics said that on June 23, it identified  unusual activity in its internal network. The orthopaedic care provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Initial results of the ongoing investigation indicate that the incident may have resulted in the compromise of employee information stored on Excelsior servers. Compromised data may include information about employees of the Buffalo Surgery Centre, a related entity,” reads the notice.

 

The compromised data included names, addresses, dates of birth, Social Security Numbers, Driver’s License numbers, non-driver identification card numbers, and biometric information. Excelsior said in its filing with the Maine state regulator that it identified at least 357,000 individuals who were impacted by the incident.

 

While Excelsior found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. It has also offered one year of complimentary identity protection and credit monitoring services through Cyberscout to all affected individuals.

 

In July, a hacker group calling itself the Monti ransomware group claimed responsibility for the cyber attack on Excelsior and listed it as a victim on its data leak site. The group claimed to be in possession of confidential data stolen from the healthcare provider and published the stolen data following a failed ransom negotiation on July 16.