Cyber Incident Victim: Bone & Joint
Date:
Jan 2023
Location:
United States of America
Summary
Bone & Joint experienced a network outage resulting in unauthorized access to sensitive personal and protected health information. The breach compromised names, dates of birth, Social Security numbers, addresses, phone numbers, health insurance details, and medical treatment data of current and former patients and employees. Following an investigation, the organization confirmed the scope of affected data and began notifying impacted individuals. The incident exposed highly sensitive information, potentially affecting a substantial number of people given the company's size and reach in orthopedic care services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 16, 2023, Bone & Joint, a Wisconsin-based orthopedic care provider, identified a "network outage" disrupting its computer systems. The organization initiated an investigation but did not publicly disclose technical details regarding the nature or cause of the outage. By January 27, 2023, Bone & Joint completed its review of affected files, confirming unauthorized access to sensitive personal and protected health information belonging to current and former patients and employees. The compromised data included names, dates of birth, Social Security numbers, home addresses, phone numbers, health insurance details, and diagnosis and treatment information. The breach impacted individuals across Bone & Joint's seven locations in Medford, Merrill, Mosinee, Plover, Rib Mountain, Wausau, and Weston, though the exact number of affected parties was not specified in available reports. Bone & Joint did not characterize the incident as a cyberattack or ransomware event in its public communications, referring only to the outage and subsequent unauthorized data access.
Bone & Joint began notifying affected individuals via mailed data breach letters on March 7, 2023, approximately seven weeks after concluding its internal review. The notifications outlined the types of exposed information but did not provide specifics regarding how the outage facilitated unauthorized access or whether data exfiltration occurred. As of March 13, 2023, Bone & Joint had not filed a breach notice with the U.S. Department of Health and Human Services Office for Civil Rights, though it issued a press release on March 10, 2023, offering additional incident details. The breach exposed both personal identifiers and clinical information, creating potential risks of identity theft and medical fraud for impacted patients and employees. Bone & Joint, which employs over 270 staff and generates approximately $39 million in annual revenue, did not disclose remediation measures taken following the outage or whether third-party cybersecurity assistance was engaged during the investigation. No threat actor group claimed responsibility for the incident in available reporting.