Excelsior Orthopaedics, LLP, a healthcare provider based in Amherst, New York, recently disclosed a data breach after discovering an unauthorized party accessed its computer network. The breach compromised financial and protected health information (PHI) belonging to almost 357,000 patients and employees.
On January 7, 2025, Excelsior Orthopaedics, LLP (“Excelsior”) filed a notice of a data breach with the Attorney General of Maine after discovering unauthorized access to its computer network. The breach, which began on June 23, 2024, exposed sensitive data belonging to patients and employees of Excelsior and its affiliates, including Buffalo Surgery Center and Northtowns Orthopaedics. The compromised information includes names, Social Security numbers, driver’s license numbers, demographic data, medical records, health insurance details, and financial information.
Excelsior contained the incident upon detection and engaged cybersecurity experts to investigate. After confirming the breach’s impact, the company notified affected individuals on December 31, 2024. These letters provide details about what specific information was compromised for each individual.
The Excelsior public notice stated, “Excelsior is committed to ensuring the privacy and security of all personal information in our care, and we will continue to take steps to mitigate the risk of future harm.”
Additionally, “Excelsior is offering complimentary credit monitoring and identity theft protection services to affected individuals whose personal information was impacted.”
The breach at Excelsior Orthopaedics shows how vulnerable healthcare systems are to cyberattacks. For healthcare providers, such breaches result in significant financial and reputational costs, regulatory scrutiny, and legal repercussions.
On the other hand, the exposed data can have severe consequences for individuals, like identity theft, financial fraud, and unauthorized access to medical records.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.