Western Orthopaedics Data Breach Exposes Sensitive Patient Information
Western Orthopaedics P.C., a long-standing orthopedic surgery practice in Denver, disclosed a data breach affecting hundreds of patients across Texas and Massachusetts. Between September 17 and September 25, 2025, an unauthorized third party accessed and exfiltrated sensitive data from the practice’s systems. The breach was confirmed after an investigation concluded on March 3, 2026.
The exposed information included personally identifiable details such as full names, addresses, phone numbers, Social Security numbers, dates of birth, and financial account or payment card data (with or without security codes). Additionally, protected health information including insurance details, provider names, medical service dates, and billing records was compromised.
On October 4, 2025, the ransomware group PEAR claimed responsibility for the attack, posting about the breach on a Tor-based dark web site and asserting they had obtained the organization’s data.
In response, Western Orthopaedics notified affected individuals via U.S. Mail and offered complimentary credit monitoring and identity protection services through Epiq. The services include one-bureau credit monitoring, dark web surveillance, credit freeze assistance, and identity restoration support. A dedicated incident response line (855-815-3938) was established for inquiries, available weekdays from 8 a.m. to 8 p.m. Central Time.
A total of 363 Texas residents and 46 Massachusetts residents were impacted by the breach.
Source: https://www.claimdepot.com/data-breach/western-orthopaedics-2026
Western Orthopedics and Sports Medicine cybersecurity rating report: https://www.rankiteo.com/company/western-orthopedics-and-sports-medicine
"id": "WES1778006294",
"linkid": "western-orthopedics-and-sports-medicine",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '409 (363 Texas residents, 46 '
'Massachusetts residents)',
'industry': 'Healthcare',
'location': 'Denver, Colorado, USA',
'name': 'Western Orthopaedics P.C.',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized Access',
'customer_advisories': 'Complimentary credit monitoring and identity '
'protection services offered to affected individuals',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '409',
'personally_identifiable_information': ['Full names',
'Addresses',
'Phone numbers',
'Social Security '
'numbers',
'Dates of birth',
'Financial account or '
'payment card data'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Protected Health Information']},
'date_detected': '2025-09-25',
'date_publicly_disclosed': '2026-03-03',
'description': 'Western Orthopaedics P.C. disclosed a data breach affecting '
'hundreds of patients across Texas and Massachusetts. An '
'unauthorized third party accessed and exfiltrated sensitive '
'data from the practice’s systems between September 17 and '
'September 25, 2025. The breach was confirmed after an '
'investigation concluded on March 3, 2026.',
'impact': {'data_compromised': 'Personally identifiable information and '
'protected health information',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'investigation_status': 'Concluded',
'motivation': 'Data Exfiltration',
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'PEAR'},
'references': [{'date_accessed': '2025-10-04',
'source': 'Dark Web (Tor-based site)'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'U.S. Mail notifications to affected '
'individuals, dedicated incident '
'response line (855-815-3938)',
'third_party_assistance': 'Epiq (credit monitoring and identity '
'protection services)'},
'threat_actor': 'PEAR (ransomware group)',
'title': 'Western Orthopaedics Data Breach Exposes Sensitive Patient '
'Information',
'type': 'Data Breach'}