Excelsior Orthopaedics Data Breach Affects 357,000

Excelsior Orthopaedics, LLP, a comprehensive musculoskeletal healthcare provider based in Amherst, New York, experienced a significant data breach on June 23, 2024. The breach affected approximately 357,000 individuals across the United States, exposing a wide range of sensitive personal and medical information.

The breach was discovered when Excelsior detected unusual activity on its network. A subsequent investigation revealed that unauthorized actors had gained access to their systems, compromising data related to both current and former patients, as well as employees. The breach also impacted related entities, including the Buffalo Surgery Center and Northtowns Orthopaedics.

The compromised information includes a mix of personal identifiers, medical details, and financial data.

Specific types of information exposed

• Full name
• Address
• Date of birth
• Social Security Number
• Driver’s License number or non-driver identification card number
• Biometric information
• Medical Record Number
• Diagnosis and Diagnosis Code
• Treatment Location
• Procedure Type
• Provider Name
• Treatment Cost
• Medical Date of Service
• Health Insurance Information
• Subscriber Member Number
• Patient Account Number

The breach was disclosed to various state attorney general offices, including Maine and Texas. According to the Maine Attorney General's website, 32 residents of Maine were affected. Similarly, the Texas Attorney General's website reports that 334 individuals in Texas were impacted. Notifications to affected individuals began on December 31, 2024, through written correspondence.

Excelsior Orthopaedics, LLP's Response

Upon discovering the breach, Excelsior Orthopaedics took action to contain the incident. They disconnected external access to their network, isolated suspect equipment, and changed all system credentials to secure user and administrative accounts.

The company also engaged a specialized third-party cybersecurity firm to conduct a comprehensive forensic investigation into the nature and scope of the breach.

Excelsior implemented several measures to strengthen their security infrastructure, including deploying new security tools, redesigning key systems and business processes, and enhancing internal security awareness campaigns. The organization has also partnered with a managed security service provider to monitor and protect their systems more effectively.

In addition to these technical measures, Excelsior has reported the incident to the FBI and is cooperating with law enforcement investigations. To support affected individuals, the company is offering 12 months of complimentary credit monitoring and identity theft restoration services through CyberScout, a TransUnion company.

Affected by the Excelsior Orthopaedics data breach?

If you believe you may have been affected by the Excelsior Orthopaedics data breach, it is crucial to take immediate steps to protect yourself. The breach involved highly sensitive information, including Social Security Numbers and medical details, which could be used for identity theft or fraud. Here's what you should do:

1. Enroll in the free credit monitoring services provided by Excelsior Orthopaedics. Instructions for enrollment were included in the notification letter sent to affected individuals.
2. Monitor your financial accounts and credit reports for any suspicious activity. You can request a free credit report from each of the three major credit bureaus at Annual Credit Report.
3. Place a fraud alert on your credit file to make it harder for identity thieves to open accounts in your name. This service is free and can be set up with any of the major credit bureaus:
1. Experian: Fraud Alerts
2. TransUnion: Fraud Alerts
3. Equifax: Fraud Alerts

1. Consider placing a security freeze on your credit file to prevent new accounts from being opened without your consent. Learn more about how to initiate a freeze:
1. Experian: Security Freeze
2. TransUnion: Security Freeze
3. Equifax: Security Freeze

1. Be vigilant for phishing attempts or other suspicious communications. Scammers may attempt to exploit the breach by posing as legitimate organizations to steal additional information.
2. Utilize identity theft resources provided by the Federal Trade Commission (FTC) at IdentityTheft.gov for guidance on recovering from identity theft.