Orthopaedic Institute of Western Kentucky Reports Data Breach Affecting Patient Information
The Orthopaedic Institute of Western Kentucky disclosed a significant data breach involving sensitive patient information, reported to the Massachusetts Office of Consumer Affairs and Business Regulation on March 5, 2026. The breach stemmed from two cybersecurity incidents at Keystone Technologies, a third-party managed IT services vendor for the institute.
Unauthorized access occurred during two distinct periods: April 21–26, 2025, and July 19–August 1, 2025. Attackers exfiltrated files containing personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, addresses, dates of birth, medical record numbers, health insurance details, and treatment records.
The breach was identified after a review conducted in December 2025 and January 2026 by the Orthopaedic Institute, which had ceased independent operations on December 31, 2023, following its acquisition by Mercy Health Western Kentucky Orthopedics. The incident impacted at least 141 individuals in Rhode Island and one Massachusetts resident.
In response, the institute is offering affected individuals a complimentary 12-month membership in Experian IdentityWorks Credit 3B, which includes credit monitoring, identity restoration assistance, and up to $1 million in identity theft insurance. The notice also advises reviewing medical statements, monitoring credit reports, and placing fraud alerts or security freezes with credit bureaus.
Source: https://www.claimdepot.com/data-breach/orthopaedic-institute-of-western-kentucky-2026
The Orthopaedic Institute of Western Kentucky cybersecurity rating report: https://www.rankiteo.com/company/the-orthopaedic-institute-of-western-kentucky
"id": "THE1772785835",
"linkid": "the-orthopaedic-institute-of-western-kentucky",
"type": "Breach",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '142+',
'industry': 'Healthcare',
'location': 'Western Kentucky, USA',
'name': 'Orthopaedic Institute of Western Kentucky',
'type': 'Healthcare Provider'},
{'industry': 'Information Technology',
'name': 'Keystone Technologies',
'type': 'Managed IT Services Vendor'}],
'attack_vector': 'Third-party vendor compromise',
'customer_advisories': 'Affected individuals offered complimentary 12-month '
'membership in Experian IdentityWorks Credit 3B, '
'including credit monitoring, identity restoration '
'assistance, and up to $1 million in identity theft '
'insurance',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': ['Names',
'Social Security '
'numbers',
'Addresses',
'Dates of birth',
'Medical record '
'numbers',
'Health insurance '
'details',
'Treatment records'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information (PII)',
'Protected health information '
'(PHI)']},
'date_detected': '2025-12-01',
'date_publicly_disclosed': '2026-03-05',
'description': 'The Orthopaedic Institute of Western Kentucky disclosed a '
'significant data breach involving sensitive patient '
'information, stemming from two cybersecurity incidents at '
'Keystone Technologies, a third-party managed IT services '
'vendor. Unauthorized access occurred during two distinct '
'periods, leading to the exfiltration of personally '
'identifiable information (PII) and protected health '
'information (PHI).',
'impact': {'data_compromised': 'Personally identifiable information (PII) and '
'protected health information (PHI)',
'identity_theft_risk': 'High'},
'investigation_status': 'Completed',
'post_incident_analysis': {'root_causes': 'Third-party vendor compromise '
'during two distinct periods (April '
'21–26, 2025, and July 19–August 1, '
'2025)'},
'recommendations': 'Review medical statements, monitor credit reports, place '
'fraud alerts or security freezes with credit bureaus',
'references': [{'source': 'Massachusetts Office of Consumer Affairs and '
'Business Regulation'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': ['Massachusetts Office '
'of Consumer Affairs '
'and Business '
'Regulation',
'Rhode Island '
'regulatory '
'authorities']},
'response': {'communication_strategy': 'Public disclosure via regulatory '
'filing and advisories to affected '
'individuals',
'remediation_measures': 'Review of breach, offering credit '
'monitoring and identity theft insurance '
'to affected individuals'},
'title': 'Orthopaedic Institute of Western Kentucky Data Breach',
'type': 'Data Breach'}