CTPO Data Breach Affects 140,000 Patients: PHI Exposed

Central Texas Pediatric Orthopedics (CTPO), based in Austin, Texas, recently experienced a significant data breach affecting approximately 140,000 individuals across the United States, including 90,000 residents in Texas. The breach was first discovered by CTPO on January 25, 2025, when the organization became aware of unauthorized activity on its network.

Upon identifying the breach, CTPO took steps to secure its systems and launched an extensive investigation with the assistance of a leading forensic security firm. The investigation revealed that an unauthorized actor gained access to CTPO's computer systems between January 23 and January 26, 2025. On February 4, 2025, CTPO determined that the accessed locations likely contained patient information and limited information related to volunteers.

Following a thorough review of the compromised files, CTPO confirmed on April 1, 2025, that the exposed data included personally identifiable information (PII) and protected health information (PHI) like individuals' names, government-issued ID numbers (such as passports or state ID cards), dates of birth, medical information, health insurance information, and x-ray images.

The ransomware group known as Qilin claimed responsibility for the attack, stating that they successfully infiltrated CTPO's systems and obtained sensitive data. The group posted claims of the breach on their dark web portal, along with sample screenshots to substantiate their claim.

This incident is categorized as a ransomware attack, in which cybercriminals typically encrypt data and demand payment in exchange for restoring access or preventing data leaks.

As required by law, CTPO reported the breach to several regulatory authorities, including the Texas Attorney General's office on March 6, 2025, the U.S. Department of Health and Human Services on April 4, 2025, and the Vermont Attorney General's office on April 11, 2025.

Central Texas Pediatric Orthopedics's Response

To support affected individuals, CTPO has provided detailed information on steps to minimize the risk of identity theft and fraud. Affected individuals are encouraged to remain vigilant by regularly reviewing personal account statements and monitoring credit reports for unauthorized activity.

CTPO advises placing fraud alerts and security freezes on credit files and promptly reporting any suspicious activity to financial institutions, law enforcement, and the Federal Trade Commission.

For more information, affected individuals can contact CTPO's dedicated call center at 1-833-998-9206, available Monday through Friday, between 8:00 a.m. and 8:00 p.m. Eastern Time, excluding holidays. Individuals should reference the CTPO Incident when calling.

CTPO has provided a detailed consumer notice outlining steps to protect personal information, which can be viewed on the Texas Attorney General's website, the Vermont Attorney General's website, and the U.S. Department of Health and Human Services' website.

For more information about CTPO, visit their official website.