On November 21, 2024, Concord Orthopaedics discovered a significant data breach involving unauthorized access to a third-party software system used for patient registration and appointment check-ins. Concord Orthopaedics, a specialty orthopaedic surgery and rheumatology practice based in New Hampshire, promptly took measures to secure the affected system, reset passwords, and engaged cybersecurity specialists to investigate the incident.
The investigation revealed that the breach was caused by a ransomware attack by a cybercriminal group known as Everest. The attackers gained unauthorized access to the third-party software system, potentially viewing or acquiring sensitive patient data. Concord Orthopaedics' internal electronic health records system was not compromised, as it resides in a separate and secure environment.
Information Exposed (according to official disclosures):
The ransomware group Everest claimed responsibility for this breach, announcing on their dark web portal that they had obtained Concord Orthopaedics' data, including medical records and personal data of all patients from 2018 onward. Everest has threatened to publish the stolen information within approximately two weeks from the announcement date, providing sample screenshots as proof of their claims on the Tor network.
Concord Orthopaedics reported the breach to the Massachusetts Attorney General's office on March 25, 2025, disclosing that 1,517 Massachusetts residents were affected. The breach was also reported to the New Hampshire Attorney General's office on the same date, though the exact number of affected individuals in New Hampshire was not specified.
In response to this data breach, Concord Orthopaedics engaged external cybersecurity specialists to determine the scope of the breach and notified federal law enforcement authorities.
Concord Orthopaedics has set up identity protection services for affected individuals. If you believe you may have been impacted, you can contact their dedicated call center at 1-855-659-0098, available from 9am to 9pm Eastern Time, Monday through Friday, for enrollment instructions and further assistance.
Additionally, Concord Orthopaedics strongly recommends that affected individuals take proactive steps to protect their personal information:
For more detailed information, Concord Orthopaedics has published an official Notice to Consumers on their website.
The breach disclosures can also be viewed on the websites of the Massachusetts Attorney General and the New Hampshire Attorney General.
Concord Orthopaedics is a medical practice specializing in orthopaedic surgery and rheumatology. They operate multiple offices across New Hampshire, including locations in Concord, Derry, New London, Windham, Raymond, Laconia, and Plymouth. Concord Orthopaedics offers specialized care in sports medicine, spine surgery, pediatric orthopaedics, total joint surgery, orthopaedic trauma, hand surgery, foot and ankle care, and rheumatology.
For more information about the practice, visit their official website at concordortho.com.