Concord Orthopaedics Data Breach Affects 67,835 in New Hampshire

On November 21, 2024, Concord Orthopaedics discovered a data breach involving a third-party vendor responsible for patient registration and appointment intake. The breach was caused by a ransomware attack executed by a cybercriminal group known as Everest.

The Everest ransomware group claimed responsibility for the breach, stating on their dark web portal that they obtained medical records and personal data of all Concord Orthopaedics patients dating back to 2018. They threatened to publish the stolen data within 13-14 days and provided sample screenshots as proof of their claim.

The breach was subsequently disclosed to the New Hampshire Attorney General's office on March 25, 2025. According to the official disclosure submitted to the New Hampshire Attorney General, approximately 67,835 individuals in New Hampshire were affected by this incident.

The compromised information included both personally identifiable information (PII) and protected health information (PHI) like patient names, dates of birth, Social Security numbers, driver's license or state identification numbers, health insurance details (such as health plan beneficiary numbers, health plan numbers, and insurance eligibility information), and appointment-related information (appointment type, treating physician name, date, and location of appointment).

Concord Orthopaedics emphasized that the breach was limited to the third-party vendor's software and did not affect Concord Orthopaedics' internal environment or its electronic health records system.

Concord Orthopaedics's response

Following discovery of the breach, Concord Orthopaedics acted by shutting down all access to the compromised third-party software and resetting passwords. They also engaged external cybersecurity specialists to investigate the extent of the breach. Concord Orthopaedics notified federal law enforcement and continues to review its policies and practices regarding third-party vendors to prevent similar incidents in the future.

To assist affected individuals, Concord Orthopaedics is offering identity protection services. Those who believe they may have been impacted by this breach can contact Concord Orthopaedics' dedicated call center at 1-855-659-0098, available Monday through Friday from 9am to 9pm Eastern Time, to obtain additional information and instructions on enrolling in these services.

Additionally, Concord Orthopaedics recommends that affected individuals remain vigilant by regularly reviewing their financial accounts and monitoring credit reports for suspicious activity. Individuals should also consider placing fraud alerts or security freezes on their credit files. Detailed instructions on how to place fraud alerts and security freezes, as well as additional guidance for identity theft protection, are available in the company's official notice to consumers, which can be found on the Concord Orthopaedics website.

For further details, the complete disclosure submitted to the New Hampshire Attorney General's office is available on the New Hampshire Attorney General's website.