Active breach tracker Concord, New Hampshire Disclosed March 25, 2025

Concord Orthopaedics Data Breach (2025): 72,815 Patients Exposed in Everest Ransomware Attack on Clearwave Check-In Vendor

Concord Orthopaedics, a New Hampshire orthopedics and rheumatology practice, notified 72,815 patients on March 25, 2025 of a November 21, 2024 vendor-side ransomware attack on its Clearwave patient check-in software. The Everest ransomware group claimed the attack and posted data. A consolidated class action settlement received preliminary approval on February 24, 2026 with a final fairness hearing on June 23, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 21, 2024

Concord Orthopaedics notified by its third-party patient check-in vendor (Clearwave) that an unauthorized actor may have accessed the patient registration software

Nov 21, 2024

Attacker gained access

Mar 25, 2025

Notification letters mailed to affected patients; substitute notice posted; filings submitted to HHS OCR and the New Hampshire and Massachusetts Attorneys General (67,835 NH residents; 1,517 MA residents)

Mar 25, 2025

Disclosed publicly

Apr 1, 2025

First class action filed: Montambeault v. Concord Orthopaedics Professional Association in New Hampshire Superior Court

Jun 1, 2025

Four additional class action complaints filed and consolidated into Montambeault, et al. v. Concord Orthopaedics Professional Association in Hillsborough County Superior Court

Feb 24, 2026

Court grants preliminary approval of the proposed class action settlement

Mar 26, 2026

Settlement notices mailed to class members; settlement claim portal goes live at ConcordDataSettlement.com

Jun 23, 2026

Final fairness hearing scheduled at 10:00 a.m. in Hillsborough County Superior Court (300 Chestnut St., Manchester, NH 03101)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license or state ID number

03

Contact & insurance

Phishing + targeted scams

Name Health insurance information (plan beneficiary number, plan number, eligibility) Appointment information (type, treating physician, date and location)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Console & Associates, P.C. Strauss Borrelli PLLC Finkelstein, Blankinship, Frei-Pearson & Garber, LLP Federman & Sherwood Migliaccio & Rathod LLP Ahdoot & Wolfson, PC
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Concord Orthopaedics Professional Association, a New Hampshire orthopedics and rheumatology practice headquartered in Concord, notified 72,815 patients on March 25, 2025 that their personal and protected health information had been exposed in a vendor-side ransomware attack carried out by the Everest ransomware group. The compromised system was a third-party patient check-in platform (Clearwave) used at the practice’s front desk to register patients and capture insurance information. Concord’s internal electronic health records system was hosted in a separate environment and was not accessed. The matter has progressed to a consolidated New Hampshire class action with a settlement currently before the court for final approval.

Timeline

  • November 21, 2024 — Concord Orthopaedics is notified by its third-party patient check-in vendor (Clearwave) that an unauthorized actor may have accessed the software used to register patients for appointments. Concord engages external cybersecurity specialists and notifies federal law enforcement.
  • March 25, 2025 — Concord begins mailing individual notification letters, posts a substitute notice on its website, and files with HHS OCR and the New Hampshire and Massachusetts Attorneys General. The New Hampshire AG filing (submitted by outside counsel Troutman Pepper Locke) reports 67,835 New Hampshire residents affected; the Massachusetts filing reports 1,517 residents affected.
  • April 1, 2025 — The first class action complaint, Montambeault v. Concord Orthopaedics Professional Association, is filed in New Hampshire Superior Court (Case No. 217-2025-CV-00292).
  • Mid-2025 — Four additional class actions are filed and consolidated in the Superior Court of Hillsborough County, New Hampshire, with twelve class representatives.
  • February 24, 2026 — The court grants preliminary approval of the proposed class action settlement.
  • March 26, 2026 — Settlement notices mailed to class members; the claim portal goes live at ConcordDataSettlement.com with a Unique ID and PIN for each class member.
  • June 23, 2026 — Final fairness hearing scheduled at 10:00 a.m. (Superior Court of Hillsborough County, 300 Chestnut St., Manchester, NH 03101).

Exposed

According to the entity’s notice and the AG filings, the exposed information varies by individual but may include:

  • Name
  • Date of birth
  • Social Security number
  • Driver’s license or state identification number
  • Health insurance information, including health plan beneficiary number, plan number, and eligibility information
  • Appointment information, including appointment type, treating physician, and date and location of the appointment

The Everest ransomware group claimed the attack on its dark web leak site, asserting it had obtained Concord Orthopaedics data with records dating back to 2018. The combination of Social Security number plus driver’s license number is the high-risk pairing for new-account fraud and synthetic identity theft.

What Concord Orthopaedics is offering

Concord Orthopaedics arranged complimentary identity protection services for affected individuals upon notification. Under the proposed class action settlement, class members are eligible to claim:

  • One year of CyEx Medical Shield Complete for all settlement class members. This medical-specific monitoring service includes $1 million in medical identity theft insurance and monitors for: healthcare insurance ID exposure, Medical Record Number (MRN) exposure, and unauthorized Health Savings Account (HSA) spending. Claims filed for minor children go to the child’s benefit (not the parent who filed).
  • Reimbursement of documented, unreimbursed out-of-pocket losses caused by the breach, up to $3,000 per class member (receipts required; losses must have occurred between November 21, 2024 and July 8, 2026; amounts already reimbursed by third parties are excluded).
  • Reimbursement for lost time spent responding to the breach (up to four hours at $25 per hour, maximum $100).
  • Alternatively, a one-time cash payment currently estimated at approximately $50 per claimant, subject to claim volume. (Claimants choosing the alternate cash payment may not also claim lost time.)

Settlement payments can be distributed by PayPal, Venmo, Zelle, virtual prepaid card, or physical check.

Key settlement deadlines:

  • Objection and exclusion (opt-out) deadline: May 26, 2026
  • Claim submission deadline: July 8, 2026
  • Final fairness hearing: June 23, 2026 at 10:00 a.m.

The settlement fund covers attorneys’ fees of $200,000 and service awards of $1,500 each to class representatives. Settlement administrator: Simpluris ([email protected]; 1-844-804-3481; P.O. Box 25226, Santa Ana, CA 92799-9958).

Class-action posture

The consolidated case is Montambeault, et al. v. Concord Orthopaedics Professional Association, Case No. 217-2025-CV-00292, pending in the Superior Court of Hillsborough County, New Hampshire. The complaints allege that Concord Orthopaedics failed to implement reasonable cybersecurity measures and oversight of its vendor and that, as a result, threat actors accessed sensitive personal and health information. The parties reached a settlement on a no-admission basis. The court granted preliminary approval on February 24, 2026, and the final approval hearing is scheduled for June 23, 2026.

Plaintiff firms publicly investigating or representing class members include Console & Associates, P.C.; Strauss Borrelli PLLC; Finkelstein, Blankinship, Frei-Pearson & Garber, LLP; Federman & Sherwood; Migliaccio & Rathod LLP; and Ahdoot & Wolfson, PC.

What to do if you may be affected

  1. Keep your Concord Orthopaedics notification letter. It controls your eligibility for the settlement and identifies which data elements were exposed for your specific record.
  2. Submit a settlement claim before July 8, 2026. The official site is concorddatasettlement.com. Even without out-of-pocket losses, you remain eligible for the cash payment, lost-time reimbursement, and one-year medical data monitoring.
  3. Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers and driver’s license numbers were in scope.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see signs of tax-refund fraud.
  5. Watch for medical identity theft. Review Explanation of Benefits statements for procedures or providers you do not recognize and dispute anything unfamiliar in writing.
  6. Be skeptical of unsolicited contact that references your Concord Orthopaedics care, appointment history, or this settlement. Threat actors and scam settlement-recovery firms routinely impersonate breach response teams.
  7. Stop the ongoing flow of your appointment and insurance data. HealthConsent files HIPAA restriction requests so the registration, insurance, and visit data exposed in this breach is not continuously re-shared.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.