Western Orthopaedics says criminals stole the data of over 113,000 patients

Colorado-based Western Orthopaedics said cyber criminals infiltrated its IT network in September 2025 and stole the health data of over 113,000 patients over an eight-day period.

 

The orthopaedic surgery practice, operating since 1938, announced in a regulatory filing with the U.S. Department of Health and Human Services Office for Civil Rights and with the office of the Attorney General of Massachusetts that the hacking activity took place between September 17 and 25 last year and compromised patients’ protected healthcare records.

 

Western Orthopaedics also notified affected customers that it learned about a potential security incident affecting its systems on October 2 last year and immediately launched an investigation with assistance from its contracted cyber security team and external cyber security experts to determine the nature and scope of the incident.

 

The orthopaedic care hospital soon determined that the security incident involved unauthorised entities infiltrating its network and stealing certain information from its systems. Following the discovery, it launched further analysis to determine whether the hackers had exfiltrated patients’ personal information and protected health information.

 

On March 3, Western Orthopaedics completed its analysis of the compromised information, confirming that the data breach had compromised the sensitive information of a large number of patients. The stolen records included patients’ names, addresses, phone numbers, Social Security numbers, dates of birth and financial information such as credit and debit card numbers, some including security codes and passwords.

 

The stolen records also contained protected health information such as patients’ health insurance data, dates of medical service, treatment costs, billing details, dates of medical service, and insurance subscriber identification numbers. The amount of breached data varied for each individual.

 

Western Orthopaedics informed the HHS Office for Civil Rights that the cyber security incident compromised the personal and health information of approximately 113,330 patients. 

 

"Although we have no indication of identity theft or fraud in relation to this event, to help relieve concerns and restore confidence following this incident, we have arranged for you to enroll in complimentary credit
monitoring and identity protection services, at no cost to you, through Epiq," the orthopaedic surgery practice said in its letter to affected customers.