Integrated Orthopedics of Arizona announce email-related data breach

The Phoenix-based Orthopedics group recently notified patients of an email-related data breach. 

What happened

Integrated Orthopedics of Arizona (IOA) has notified patients of a data breach impacting an unknown number of patients. 

IOA has not yet notified the Department of Health and Human Services (HHS), but they have posted a notice online and begun contacting patients. It’s likely IOA will notify the HHS once the number of impacted individuals is finalized. 

According to the breach notice, IOA does know impacted information includes names, addresses, dates of birth, medical record numbers, patient IDs or account numbers, Medicare numbers, Medicaid numbers, health insurance information, treatment information, and for some, driver’s license numbers or and/or Social Security numbers. 

Going deeper

IOA posted the data breach notice to their website on August 11th, 2025, approximately four months after the breach took place. The notice stated IOA first became aware of suspicious activity in its email on April 7th, 2025. An investigation determined that some emails may have been copied without authorization. The investigation concluded on June 19th, 2025. 

The big picture

In response to the incident, IOA is offering some guidance on how to better protect against identity theft and fraud. In this case, IOA noted this breach was linked to their email systems, a common attack vector. Yet email breaches can easily be prevented with tools like Paubox, which carefully monitor for spam, malware, phishing, and more. 

FAQs

How long does IOA have to notify the HHS? 

The IOA technically has 60 days (after discovering a breach) to notify the HHS. Although organizations are expected to follow this rule, notification is frequently delayed due to the investigation of the breach, which can be a time-consuming process. Since IOA has already notified patients, it’s likely that they will be notifying the HHS fairly soon.  

Why does notifying the HHS of a data breach matter? 

The HHS keeps the largest, most updated database of healthcare data breaches in the United States, allowing analysts to evaluate trends and understand weaknesses in current cybersecurity.