Greater Pittsburgh Orthopaedic Associates Data Breach Exposes Thousands

Greater Pittsburgh Orthopaedic Associates (GPOA) recently disclosed a significant data breach that occurred on or about August 10, 2025. The breach, reportedly involving ransomware, exposed sensitive information of as many as 56,954 individuals. The incident was reported to the U.S. Department of Health and Human Services (HHS) on August 27, 2025, and affected individuals were notified in February 2026.

What Happened

On August 10, 2025, Greater Pittsburgh Orthopaedic Associates experienced a cyberattack that compromised sensitive patient data. Although the organization did not initially confirm ransomware involvement, the threat actor group RansomHouse claimed responsibility and listed GPOA on their dark web leak site on August 20, 2025. Proof of the attack, including encrypted data, was reportedly provided by the group.

GPOA reported the breach to HHS on August 27, 2025, initially estimating that 35,000 individuals were affected. However, in a February 20, 2026, disclosure to the Maine Attorney General’s Office, the number of affected individuals was revised to 56,954. Despite the severity of the incident, GPOA did not provide substitute notice on their website, and the full extent of the breach remains under investigation by HHS.

How the Breach Occurred

The breach is believed to have been orchestrated by RansomHouse, a known ransomware group. The group claimed to have encrypted and exfiltrated data from GPOA systems, although details about the specific attack vector remain unclear. Common methods employed by ransomware groups include phishing emails, exploitation of unpatched vulnerabilities, and compromised remote desktop protocol (RDP) access.

Interestingly, GPOA’s notification letter to affected individuals did not explicitly mention ransomware or extortion attempts. This omission raises questions about the organization’s response to the incident and whether they engaged with the threat actors. Additionally, RansomHouse’s dark web listing was never updated, leaving uncertainty about whether the stolen data was leaked, sold, or otherwise distributed.

Data Exposed / Impact

The breach exposed a wide range of sensitive information, potentially impacting thousands of individuals. The compromised data reportedly included:

• Names
• Mailing addresses
• Social Security numbers
• Provider names

GPOA has offered affected individuals credit monitoring and credit score services through Cyberscout. However, the long-term implications of the breach, including potential identity theft and financial fraud, remain a concern for those impacted.

Who Is Affected

The breach primarily affected patients of Greater Pittsburgh Orthopaedic Associates, with the total number of impacted individuals estimated at 56,954. This figure includes patients whose personal and medical information was compromised during the attack.

It is unclear whether non-patient data was also affected, as GPOA’s disclosures have not provided comprehensive details. The organization’s initial report to HHS cited 35,000 affected individuals, but this number was later revised, highlighting discrepancies in the reporting process.

Mitigation and Recommendations

For individuals affected by the breach, it is crucial to take proactive steps to protect personal information and mitigate potential risks:

• Monitor credit reports for unauthorized activity
• Enroll in the credit monitoring services provided by GPOA
• Change passwords for any accounts that may have been compromised
• Be vigilant for phishing attempts or suspicious communications

Organizations, including healthcare providers, should implement robust cybersecurity measures to prevent similar incidents:

• Conduct regular security audits and risk assessments
• Ensure all software and systems are up to date with security patches
• Implement multi-factor authentication for all user accounts
• Provide ongoing cybersecurity training for employees

For immediate malware scanning and removal, Malwarebytes offers free and premium tools trusted by millions of users worldwide.

Final Thoughts

The data breach at Greater Pittsburgh Orthopaedic Associates underscores the critical importance of robust cybersecurity practices in the healthcare sector. The exposure of sensitive patient data not only jeopardizes individual privacy but also erodes trust in medical institutions.

As investigations into the 2025 breach continue, and questions about a potential 2024 incident remain unanswered, GPOA’s experience serves as a stark reminder of the persistent threats facing organizations today. Addressing these vulnerabilities is essential to safeguarding sensitive information and maintaining public confidence.