Excelsior Orthopaedics is notifying approximately 357,000 people that their personal and health information was compromised in a data breach resulting from a ransomware attack that came to light in June 2024.
Operating several clinics in Amherst, New York, including the Buffalo Surgery Center and Northtowns Orthopaedics, Excelsior Orthopaedics is a healthcare company that specializes in orthopaedical treatment care.
In June 2024, Excelsior fell victim to a “data security incident” that was initially believed to have resulted in the information of current and former employees being compromised.
Following an initial wave of written notification letters to the potentially affected individuals sent in early August, the company sent a second wave of letters on December 31, after learning that the scope of the data breach was wider and that patient information was also compromised.
“Initial results of the forensic investigation indicated that the incident resulted in the compromise of data relating to current and former patients and employees of Excelsior and its related entities, including the Buffalo Surgery Center and Northtowns Orthopaedics,” the company said in a filing with the Maine Attorney General’s Office this week.
The potentially compromised data includes names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, diagnosis information, treatment details, health insurance information, and biometric information.
The company told the Maine AGO that roughly 357,000 were impacted by the data breach and that it is providing them with twelve months of free credit monitoring and fraud assistance services.
Excelsior did not share information on the type of cyberattack it fell victim to, but its initial notification letter did reveal that it disconnected external access to the network and that efforts to restore the environment were ongoing at the end of July, suggesting a ransomware attack.
Furthermore, the Monti ransomware gang added Excelsior to its Tor-based leak site in early July, claiming the theft of 300 gigabytes of data from the company. Monti has since made the allegedly stolen information publicly available.
Related: Facebook Owner Hit With 251 Million Euros in Fines for 2018 Data Breach
Related: New York Fines Geico and Travelers $11 Million Over Data Breaches
Related: Financial Software Firm Finastra Investigating Data Breach
Related: UltraRank Group Stole Card Data From Hundreds of Sites Using JS Sniffers