Concord Orthopaedics reports data breach affecting patient data

Concord Orthopaedics, a New Hampshire-based orthopedic healthcare practice, is reporting a data breach of its patient check-in and appointment scheduling software. 

Concord Orthopaedics was notified on November 21, 2024, by a third-party vendor that unauthorized access had occurred to the software used for patient check-ins and appointment scheduling. COPA shut down all access to the affected system, reset passwords for the third-party software, and engaged external cybersecurity specialists to investigate the nature and scope of the incident.

The investigation confirmed that an unauthorized actor had gained access to the third-party software and potentially viewed and/or acquired patient registration and appointment intake information stored within the system. The exposed information includes:

• Names
• Social Security numbers
• Dates of birth
• Driver's license or state identification numbers
• Appointment information (including appointment type, treating physician name, and date and location of appointment)
• Health insurance information (including health plan beneficiary number, health plan number, and insurance eligibility information)

The nature of the attack has not been disclosed.

Update - as of 29th of March 2025, the company reports it will be notifying over 67,000 impacted individuals.

The healthcare provider emphasized that there was no evidence of compromise to COPA's internal environment or its electronic health records system, which is hosted in a separate application.

On March 25, 2025, Concord Orthopaedics began sending breach notification letters to affected individuals and posted a notice of the incident on its website.