Excelsior Orthopaedics, LLP, a comprehensive musculoskeletal healthcare provider based in Amherst, New York, experienced a significant data breach on June 23, 2024. The breach affected approximately 394,752 individuals across the United States, exposing a wide range of sensitive personal and medical information.
An amended filing with the Maine Attorney General increased the number of people affected to 394,752 from 357,000.
The breach was discovered when Excelsior detected unusual activity on its network. A subsequent investigation revealed that unauthorized actors had gained access to their systems, compromising data related to both current and former patients, as well as employees. The breach also impacted related entities, including the Buffalo Surgery Center and Northtowns Orthopaedics.
The compromised information includes a mix of personal identifiers, medical details, and financial data.
Specific types of information exposed
The breach was disclosed to various state attorney general offices, including Maine and Texas. According to the Maine Attorney General's website, 32 residents of Maine were affected. Similarly, the Texas Attorney General's website reports that 334 individuals in Texas were impacted. Notifications to affected individuals began on December 31, 2024, through written correspondence.
Upon discovering the breach, Excelsior Orthopaedics took action to contain the incident. They disconnected external access to their network, isolated suspect equipment, and changed all system credentials to secure user and administrative accounts.
The company also engaged a specialized third-party cybersecurity firm to conduct a comprehensive forensic investigation into the nature and scope of the breach.
Excelsior implemented several measures to strengthen their security infrastructure, including deploying new security tools, redesigning key systems and business processes, and enhancing internal security awareness campaigns. The organization has also partnered with a managed security service provider to monitor and protect their systems more effectively.
In addition to these technical measures, Excelsior has reported the incident to the FBI and is cooperating with law enforcement investigations. To support affected individuals, the company is offering 12 months of complimentary credit monitoring and identity theft restoration services through CyberScout, a TransUnion company.
If you believe you may have been affected by the Excelsior Orthopaedics data breach, it is crucial to take immediate steps to protect yourself. The breach involved highly sensitive information, including Social Security Numbers and medical details, which could be used for identity theft or fraud. Here's what you should do:
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.