Rochester Philharmonic Data Breach Exposes Personal and Health Information

Rochester Philharmonic Orchestra, a nonprofit orchestra based in Rochester, New York, disclosed a data breach that affected approximately 1,726 individuals in the United States, including three Maine residents.

On Oct. 21, 2025, the Rochester Philharmonic Orchestra experienced servers going on and offline. The organization engaged independent cybersecurity experts to assist with investigating what had occurred.

As a result of the investigation, the organization determined that specific sections of its network may have been accessed without authorization.

On Nov. 25, 2025, the ransomware group known as Akira claimed responsibility for the attack on the dark web. The group claimed to have obtained the organization's data, reportedly including personal information, budget documents, internal confidential documents and nondisclosure agreements.

The types of personally identifiable information exposed included names, Social Security numbers, driver's license numbers and passport numbers.

The breach also exposed protected health information including health insurance information and medical information.

Rochester Philharmonic Orchestra's response to the breach

Rochester Philharmonic Orchestra is offering affected individuals complimentary identity protection services through IDX. The IDX services include 12 months of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy and fully managed identity theft recovery services.

Affected individuals can enroll by calling 1-833-788-9712, visiting the IDX enrollment page or scanning the QR code included in their written notification letter. The deadline to enroll in these services is Aug. 27, 2026.

IDX is also supporting a dedicated call center for at least 90 days to answer questions related to the incident. The call center can be reached at 1-833-788-9712 and is available Monday through Friday from 9 a.m. to 9 p.m. Eastern time, excluding U.S. holidays.