Orthopaedic Specialists of Connecticut (OSC), a healthcare practice based in Brookfield, Connecticut, has notified patients of a data breach resulting from a network security incident in early March. The breach affected over 22,500 individuals and potentially exposed sensitive personal and medical information. Notably, a known ransomware group has reportedly claimed responsibility for the attack.
What happened
According to OSC's public notice, they detected unauthorized access to its network environment on March 2, 2025. OSC states it immediately took steps to secure the network and engaged a third-party forensic firm to investigate. The investigation determined that the unauthorized party may have acquired certain patient data as a result of the intrusion. Adding to the concern, the hacking group "INC RANSOM" claimed responsibility for an attack on OSC via a dark web posting on April 14, 2025, alleging they had obtained data from the organization.
What's new
OSC issued a public notice on April 23, 2025, and submitted details to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) around the same time, reporting that 22,541 individuals were affected. The investigation, completed in April 2025, confirmed that potentially compromised information includes first names, last names, dates of birth, Social Security numbers, health insurance ID numbers, and medical information, though the specific data elements varied for each affected individual. OSC is sending written notices to those impacted and is offering 12 months of complimentary credit monitoring and identity theft protection services.
Why it matters
This incident involves the potential exposure of significant personal data (like SSNs) and sensitive protected health information (PHI) related to orthopedic conditions and treatments. The claim by the INC RANSOM group explicitly suggests data exfiltration, raising the risk that the stolen information could be leaked publicly or sold on the dark web, increasing the potential for identity theft, financial fraud, and misuse of medical information for affected patients.
What they're saying
In its notice, OSC stated, "OSC takes the privacy and security of information in its possession very seriously and sincerely apologizes for any inconvenience this incident may cause." The practice noted that, as of their notice date, they had no reason to believe any individual's information had been specifically misused and had not received reports of related identity theft. However, multiple data breach law firms (including Srourian Law Firm, Shamis & Gentile P.A., Strauss Borrelli PLLC, and affiliates of ClassAction.org) have already announced investigations into the breach and are seeking contact with affected individuals regarding potential class action lawsuits.
FAQs
What is data exfiltration?
Data exfiltration refers to the unauthorized copying or transfer of sensitive information from a network or system to an external location or one controlled by the attacker.
What does it mean that a ransomware group ("INC RANSOM") has claimed responsibility for the attack?
When a ransomware group claims responsibility, it usually means they not only gained unauthorized access to a network but also deployed ransomware, which often involves encrypting data to demand a ransom payment for its decryption. Additionally, these groups frequently exfiltrate data before encryption as leverage. Their claim suggests that the data obtained from OSC could be leaked publicly or sold if their demands are not met, increasing the risk of identity theft and fraud for affected individuals.
Why are data breach law firms announcing investigations into this incident? What does that mean for affected individuals?
Law firms investigate to evaluate legal claims against OSC for the breach, inform affected individuals of their rights, potentially file class action lawsuits to seek compensation for damages, and encourage better data security. For affected individuals, it means they may have legal options to pursue for potential harm suffered due to the data exposure.
