Greater Pittsburgh Orthopedic Associates hit by RansomHouse threat group

The practice says the breach impacted over 56K individuals.

What happened

Greater Pittsburgh Orthopedic Associates (GPOA), which has six offices in and around Pittsburgh, Philadelphia, recently notified patients of a data breach. While the healthcare practice hasn’t posted a notice on their website, the organization did notify the Attorney General of Maine of the breach, stating that the incident has impacted 56,954 individuals.

The notice also stated that the breach took place on August 9th, 2025, and was discovered the following day on August 10th. Compromised information varied, but may have included names, mailing addresses, Social Security numbers, and provider information.

Going deeper

GPOA said that on the breach date, an unauthorized individual or group accessed the organization’s computer network.

Although GPOA has not stated that the incident was a ransomware attack, on August 20th, 2025, the ransomware group RansomHouse claimed responsibility for the attack. Ransomware.Live, a ransomware monitoring group, provided a screenshot uploaded by RansomHouse to prove they had the data (although the screenshot itself is not definitive proof the malicious organization has all of the data it claims).

In RansomHouse’s note, the group said, “Dear management Great Pittsburg Orthopaedic Associates, We are sure that you are not interested in your confidential data to be leaked or sold to a third party.” It’s unclear what RansomHouse demanded or if GPOA engaged in any negotiations.

In the know

According to a cybersecurity advisory by CISA, RansomHouse is believed to be linked to Iran and may be state-sponsored. The group is known to target US-based schools, municipal governments, financial institutions, and healthcare facilities. Given rising political tensions between Iran and the US, CISA has noted an increase in Iranian cyber actors targeting vulnerable US networks. One cybersecurity firm found that Iran-based cyber attacks had spiked 133% in mid-2025, but no recent reports have documented if the spike has continued or flatlined. RansomHouse, in particular, has continued to develop new strategies to attack and extort victims, with a report just recently documenting an upgrade in its encrypting tools.

The big picture

Following the incident, GPOA said they engaged third-party experts, enhanced its security network, and completed a digital forensic investigation. While GPOA is working to prevent an incident like this from occurring again, prevention is the best cybersecurity strategy.

According to a recent Paubox report, ransomware attacks have been surging since 2018, and are now up 264%. The same report noted that the most common vector for these attacks is email, meaning that securing email systems, training employees, and using strong encryption software has to be a priority for healthcare organizations as they navigate a changing and growing threat environment.

FAQs

Why would a state-sponsored group target a relatively small healthcare organization?

First, it’s important to note that while there are claims that RansomHouse is state-sponsored by Iran, it is not definitively known. Second, threat groups may target small organizations to sow chaos and unease, or simply because the organization appears to be vulnerable. In fact, smaller organizations are sometimes more vulnerable to attacks since they are more likely to have outdated cybersecurity systems and practices.

Will GPOA negotiate with RansomHouse?

The public is rarely informed of negotiations between practices and ransomware organizations, but it’s generally not advised to negotiate with threat actors. These actors have no real incentive to protect data or keep their promises to practices.