The New York-based healthcare organization recently announced a data breach.
What happened
Northeast Orthopedics and Sports Medicine, a New York-based practice, was recently part of a large data breach impacting multiple practices across the nation. At the root was third-party organization Infosys McCamish Systems LLC, a subsidiary of India-based company Infosys.
Northeast Orthopedics, which has nine centers in New York, announced the breach had impacted approximately 177,000 individuals, most of whom had been patients. The practice initially said they had noticed suspicious activity on November 22nd, 2023. It confirmed unauthorized access on December 29th. A statement was issued on the Orthopedic’s website on February 9th, but the organization did not issue a notice to the Maine Attorney General’s office until March 5th. The filing with the Attorney General’s office clarified the total number of impacted individuals; 177,276 people.
In a statement, Northeast Orthopedics said data exposed may have included names, Social Security numbers, driver’s license information, payment information, dates of birth, medical records, health insurance information, and treatment and diagnosis information. Individuals who may have had their data exposed are being offered free credit monitoring and identity protection services.
Going deeper
Unfortunately, Northeast Orthopedics is one of many organizations to be impacted by the Infosys breach. Paubox has also covered the breach’s impact on financial institutions, including Fidelity and Bank of America.
The breach first impacted Infosys McCamish, a business technology service provider, in November of 2023. The company filed a letter with the US Securities and Exchange Commission and said they were continuing to investigate the incident. Lockbit, a Russian-based cybercrime organization, ultimately took credit for the attack. Infosys McCamish revealed they lost approximately $30 million while resolving the breach.
What was said
In a statement, Northeast Orthopedics said they “worked with third-party specialists to re-secure our network, implement additional precautions, and we are reviewing our policies and procedures related to data protection.”
The company further added, “In general, we encourage individuals to remain vigilant against incidents of identity theft and fraud by reviewing credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors.”
The big picture
Incidents like this are becoming increasingly common. Many organizations utilize third parties for consulting, technology, or administrative services. These services can help organizations spend more time focusing on critical work but also means data may pass through more hands. Even if Northeast Orthopedics had high standards of security, data was still made vulnerable by Infosys.
Read more: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
