Greater Pittsburgh Orthopaedic Associates Hit by Suspected Ransomware Attack in 2025
Greater Pittsburgh Orthopaedic Associates (GPOA) recently disclosed a cybersecurity breach affecting tens of thousands of patients, with evidence pointing to a ransomware attack by the group RansomHouse. The incident, which occurred on or around August 10, 2025, was first flagged when RansomHouse added GPOA to its dark web leak site on August 20, 2025, claiming the organization’s systems had been encrypted and data exfiltrated. Proof of the breach was provided, though the group never updated its listing, leaving uncertainty over whether stolen data was sold or leaked.
GPOA reported the breach to the U.S. Department of Health and Human Services (HHS) on August 27, 2025, initially citing 35,000 affected patients. However, in a February 20, 2026, filing with the Maine Attorney General’s Office, the organization’s external counsel revised the number to 56,954 individuals, though it remains unclear whether this includes non-patients or reflects the final tally. The HHS breach tool has not been updated, and the agency’s investigation remains open.
Patient notifications were delayed until February 5, 2026, when letters were mailed out. The disclosure confirmed that exposed data may have included names, mailing addresses, Social Security numbers, and provider names though GPOA made no mention of ransomware or extortion attempts in its communications. As a remedial measure, the organization arranged credit monitoring and credit score services through Cyberscout for affected individuals.
The 2025 incident may not have been GPOA’s first cybersecurity compromise. In May 2024, a threat group known as DonutLeaks (or variations of the name) claimed to have targeted "Pittsburgh’s Trusted Orthopaedic Surgeons" a branding used by GPOA on a dark web leak site. The group’s listing later went offline, and GPOA did not publicly acknowledge the claims. The alleged 2024 breach does not appear on HHS’s public records, raising questions about whether it was reported or if data was leaked.
GPOA has not responded to inquiries about either incident, including requests for clarification on the 2025 attack’s scope and its response to the 2024 claims. As of publication, it remains unclear whether the organization experienced two separate cyberattacks in the past two years or if data from either was sold or exposed. The lack of transparency and delayed disclosures have left affected patients with lingering uncertainties.
Greater Pittsburgh Orthopaedic Associates TPRM report: https://www.rankiteo.com/company/greater-pittsburgh-orthopaedic-associates-gpoa
"id": "gre1771958137",
"linkid": "greater-pittsburgh-orthopaedic-associates-gpoa",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '56,954',
'industry': 'Healthcare',
'location': 'Pittsburgh, Pennsylvania, USA',
'name': 'Greater Pittsburgh Orthopaedic Associates '
'(GPOA)',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Patient notifications mailed on February 5, 2026',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '56,954',
'personally_identifiable_information': 'Names, mailing '
'addresses, Social '
'Security numbers, '
'provider names',
'sensitivity_of_data': 'High (SSNs, names, addresses, '
'provider names)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'date_detected': '2025-08-20',
'date_publicly_disclosed': '2026-02-05',
'description': 'Greater Pittsburgh Orthopaedic Associates (GPOA) disclosed a '
'cybersecurity breach affecting tens of thousands of patients, '
'with evidence pointing to a ransomware attack by the group '
'RansomHouse. The incident involved data encryption and '
'exfiltration, with delayed patient notifications and unclear '
'final impact.',
'impact': {'brand_reputation_impact': 'Likely negative due to delayed '
'disclosures and lack of transparency',
'data_compromised': 'Names, mailing addresses, Social Security '
'numbers, provider names',
'identity_theft_risk': 'High (due to exposure of SSNs and PII)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (RansomHouse '
'claimed data exfiltration '
'but did not update '
'listing)'},
'investigation_status': 'Ongoing (HHS investigation open)',
'motivation': 'Extortion',
'post_incident_analysis': {'corrective_actions': 'Credit monitoring and '
'credit score services '
'provided to affected '
'individuals'},
'ransomware': {'data_encryption': 'Yes', 'data_exfiltration': 'Yes'},
'references': [{'source': 'Dark web leak site (RansomHouse)'},
{'source': 'U.S. Department of Health and Human Services (HHS) '
'breach report'},
{'source': 'Maine Attorney General’s Office filing'}],
'regulatory_compliance': {'regulations_violated': 'HIPAA (likely)',
'regulatory_notifications': 'Reported to U.S. '
'Department of Health '
'and Human Services '
'(HHS) and Maine '
'Attorney General’s '
'Office'},
'response': {'communication_strategy': 'Delayed patient notifications via '
'mail (February 5, 2026)',
'third_party_assistance': 'Cyberscout (credit monitoring '
'services)'},
'threat_actor': 'RansomHouse',
'title': 'Greater Pittsburgh Orthopaedic Associates Hit by Suspected '
'Ransomware Attack',
'type': 'Ransomware'}