Cyber Incident Victim: OrthoArizona

OrthoArizona detected a cybersecurity incident on October 30, 2021, prompting immediate engagement with a third-party cybersecurity firm to investigate the breach. The forensic investigation revealed unauthorized access to protected health information, though the specific method of intrusion was not disclosed in public notifications. The compromised data included patient names, mailing addresses, dates of birth, Social Security numbers, and certain health insurance information. Due to the complexity of determining precisely which records were accessed or exfiltrated, OrthoArizona conducted a comprehensive review of all potentially affected files. This process extended over several months, with the organization describing it as "extensive and labor intensive," resulting in delayed notifications to impacted individuals nearly nine months after detection.

The breach affected 2,748 individuals, with no evidence of fraud or misuse identified at the time of notification. OrthoArizona implemented specific remediation measures, including offering complimentary credit monitoring and identity theft protection services through IDX to individuals whose Social Security numbers were exposed. The organization conducted a full review of its data security policies and procedures following the incident, implementing enhancements to strengthen protections against future attacks. Notifications were issued without specifying whether the breach involved ransomware, phishing, or other attack vectors, focusing instead on confirmed compromised data elements and remediation efforts. No operational disruptions or system availability issues were reported in conjunction with the incident.