Greater Pittsburgh Orthopedic Associates data breach affected over 55,000 people

Greater Pittsburgh Orthopedic Associates said an unauthorised third party access to its IT network in August 2025 compromised the personal and healthcare information of about 57,000 customers.

 

The healthcare firm, which is the oldest continuously-operating orthopaedic surgical associates in Pittsburgh, said in a data breach notification shared with the Attorney Generals of Maine and Vermont that it learned about the data security incident on August 10, 2025, when it detected unauthorised third party access to its computer network.

 

GPOA said that as soon as it discovered the attack, it initiated incident response and engaged additional third-party experts to secure its IT environment, strengthen network security and commence a digital forensic investigation into the unauthorised access and the extent of the breach.

 

"With the assistance of the third-party digital forensic investigation, we determined that your personal or
health information could have been compromised," GPOA said in a letter sent to affected patients. "While the impacted data elements vary, this compromise could have included your name, mailing address, Social Security number, and provider name."

 

"We take this incident seriously and are committed to the strength of our systems’ security to prevent a similar event from occurring in the future. We are also focused on continuous awareness training and assessment of our data security. We have notified law enforcement regarding this incident," the firm added.

 

GPOA is located in the Pittsburgh metro area but its consulting orthopaedic associates also serve in far-off locations such as Moon Township, Monroeville, Cranberry Township, Brackenridge, and Sewickley in the state of Pennsylvania.

 

The firm informed the Attorney Generals of Maine and Vermont that the data security incident impacted the personal information of 56,954 patients. GPOA is offering all affected patients free single bureau credit report, free credit monitoring and single bureau credit score services through Cyberscout.   

 

"We are not aware of anyone experiencing fraud as a result of this incident. As data incidents are increasingly
common, we encourage you to always remain vigilant, monitor your accounts, and immediately report any
suspicious activity or suspected misuse of your personal information," the firm added.

 

The orthopaedic care provider also faces a class-action lawsuit related to a data security incident in May 2024 that involved the RansomHouse ransomware group targeting the firm’s computer network and accessing stored information. GPOA discovered the incident on or around August 22, 2025, more than a year after it took place.