.png)
Orthopaedic Institute of Western Kentucky Data Breach
The Orthopaedic Institute of Western Kentucky has reported a significant data breach affecting patient information. The incident was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on March 5, 2026. According to the notice, the breach originated from a third-party vendor, Keystone Technologies, which provided managed IT services for the institute.
The breach involved two separate cybersecurity incidents on Keystone Technologies’ systems. The first unauthorized access occurred between April 21 and April 26, 2025, and the second between July 19 and Aug. 1, 2025.
During these periods, unauthorized third parties gained access to the vendor’s systems and obtained files containing sensitive patient data. The Orthopaedic Institute of Western Kentucky, which ended its independent practice on Dec. 31, 2023, and was later acquired by Mercy Health — Western Kentucky Orthopedics, identified the exposed data after a detailed review in December 2025 and January 2026.
The information exposed includes both personally identifiable information (PII) and protected health information (PHI): names, Social Security numbers, addresses, dates of birth, medical record numbers, health insurance information and treatment details.
The breach affected at least one Massachusetts resident, with a total of 141 individuals impacted in Rhode Island.
Orthopaedic Institute of Western Kentucky's response
To support those affected, the institute is offering a complimentary 12-month membership in Experian IdentityWorks Credit 3B. This service provides credit monitoring, internet surveillance, identity restoration assistance and up to $1 million in identity theft insurance. Enrollment instructions and support contact information are included in the official notice to consumers.
Anyone who may be affected is encouraged to:
- Enroll in the complimentary credit monitoring service
- Review medical bills and explanation of benefits for suspicious activity
- Contact their insurance company or healthcare provider if they notice unusual charges
Additionally, individuals should remain vigilant by reviewing account statements and free annual credit reports for unauthorized activity. The notice also provides information on how to place fraud alerts or security freezes with major credit bureaus, as well as contact details for the Federal Trade Commission and state attorney general offices for further assistance.
Names
Social Security Numbers
Dates of Birth
Addresses
Government IDs
Medical Info
Financial Info- Affected information types not yet disclosed
Data Breach Settlements
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
Subscribe to our weekly class actions newsletter.
.svg)