HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Concord Orthopaedics breach compromises patient health data

Written by Caitlin Anthoney | Apr 8, 2025 12:07:02 AM

A New Hampshire-based healthcare provider, Concord Orthopaedics, recently confirmed that a November 2024 data breach exposed an unknown number of patient’s health information. The breach was linked to a third-party software vulnerability, putting individuals at risk of identity theft and fraud.

 

What happened

On March 25, 2025, Concord Orthopaedics announced a data breach, confirming that an unauthorized party accessed patient data through third-party software used for patient check-ins. The organization was first alerted to the breach on November 21, 2024, by the software vendor, prompting an immediate investigation and security measures.

While the breach did not compromise Concord Orthopaedics’ internal network, patient data stored within the third-party vendor’s system was exposed. The compromised information includes patient names, Social Security numbers, dates of birth, driver’s license or state identification numbers, health insurance information, and appointment details.

In response, Concord Orthopaedics posted a notice on its website and began notifying affected individuals. The organization is offering complimentary credit monitoring services and implementing enhanced security protocols to prevent future incidents.

 

What was said

According to Concord’s notice, “The confidentiality, privacy, and security of information entrusted to Concord and maintained by our third-party vendors remains our top priority. Upon becoming aware of potential access to this third-party software, we moved quickly and diligently to investigate the claims, ensure the security of our separate environment, and work with the third-party vendor to identify whose information may have been impacted.”

“We notified federal law enforcement about this matter and continue to review our practices and policies related to third-party vendors to avoid a similar event from reoccurring in the future,” the notice adds.

Furthermore, affected individuals are encouraged to:

  • Enroll in identity protection services, calling 1-855-659-0098 (Mon-Fri, 9 AM - 9 PM ET) if they believe they were affected.
  • Regularly check financial and credit accounts for suspicious activity.
  • Request a free credit report at www.annualcreditreport.com or call 1-877-322-8228.
  • Report identity theft at www.identitytheft.gov or call 1-877-438-4338.
  • Notify local law enforcement and their state’s Attorney General (Iowa, Maryland, New York, North Carolina, Oregon, Rhode Island, and Washington, DC).
  • Place fraud alerts or security freezes using Equifax (1-800-525-6285), Experian (1-888-397-3742), or TransUnion (1-888-909-8872) to prevent unauthorized access.
  • Know their rights under the Fair Credit Reporting Act (FCRA), where they can dispute inaccurate information and limit pre-screened credit offers.

Read also: How to secure email communications with third-party vendors

 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

 

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

 

Are third-party vendors required to follow HIPAA?

Yes, any vendor handling PHI must comply with HIPAA’s Security and Privacy Rules.
View full post