Concord Orthopaedics Data Breach Affects 72,815 People

On November 21, 2024, Concord Orthopaedics discovered a significant data breach involving unauthorized access to a third-party software system used for patient registration and appointment check-ins. Concord Orthopaedics, a specialty orthopaedic surgery and rheumatology practice based in New Hampshire, promptly took measures to secure the affected system, reset passwords, and engaged cybersecurity specialists to investigate the incident.

The investigation revealed that the breach was caused by a ransomware attack by a cybercriminal group known as Everest. The attackers gained unauthorized access to the third-party software system, potentially viewing or acquiring sensitive patient data. Concord Orthopaedics' internal electronic health records system was not compromised, as it resides in a separate and secure environment.

Information Exposed (according to official disclosures):

• Name
• Date of birth
• Social Security number
• Appointment information (appointment type, treating physician, date, and location)
• Health insurance information (health plan beneficiary number, health plan number, insurance eligibility details)
• Driver’s license or state identification number (including images of licenses or IDs for some individuals)

The ransomware group Everest claimed responsibility for this breach, announcing on their dark web portal that they had obtained Concord Orthopaedics' data, including medical records and personal data of all patients from 2018 onward. Everest has threatened to publish the stolen information within approximately two weeks from the announcement date, providing sample screenshots as proof of their claims on the Tor network.

Concord Orthopaedics reported the breach to the Massachusetts Attorney General's office on March 25, 2025, disclosing that 1,517 Massachusetts residents were affected. The breach was also reported to the New Hampshire Attorney General's office on the same date, though the exact number of affected individuals in New Hampshire was not specified.

Concord Orthopaedics's response

In response to this data breach, Concord Orthopaedics engaged external cybersecurity specialists to determine the scope of the breach and notified federal law enforcement authorities.

Concord Orthopaedics has set up identity protection services for affected individuals. If you believe you may have been impacted, you can contact their dedicated call center at 1-855-659-0098, available from 9am to 9pm Eastern Time, Monday through Friday, for enrollment instructions and further assistance.

Additionally, Concord Orthopaedics strongly recommends that affected individuals take proactive steps to protect their personal information:

• Regularly reviewing financial and credit accounts for suspicious activities.
• Obtaining free annual credit reports from the three nationwide consumer reporting agencies via AnnualCreditReport.com.
• Placing fraud alerts or security freezes on credit reports through the nationwide credit bureaus: Equifax, Experian, and TransUnion.
• Reporting incidents of identity theft to the Federal Trade Commission, local law enforcement, or your state's Attorney General's office.

For more detailed information, Concord Orthopaedics has published an official Notice to Consumers on their website.

The breach disclosures can also be viewed on the websites of the Massachusetts Attorney General and the New Hampshire Attorney General.

About Concord Orthopaedics

Concord Orthopaedics is a medical practice specializing in orthopaedic surgery and rheumatology. They operate multiple offices across New Hampshire, including locations in Concord, Derry, New London, Windham, Raymond, Laconia, and Plymouth. Concord Orthopaedics offers specialized care in sports medicine, spine surgery, pediatric orthopaedics, total joint surgery, orthopaedic trauma, hand surgery, foot and ankle care, and rheumatology.

For more information about the practice, visit their official website at concordortho.com.