Concord Orthopaedics Data Breach (2025): 72,815 Patients Exposed in Everest Ransomware Attack on Clearwave Check-In Vendor
Concord Orthopaedics, a New Hampshire orthopedics and rheumatology practice, notified 72,815 patients on March 25, 2025 of a November 21, 2024 vendor-side ransomware attack on its Clearwave patient check-in software. The Everest ransomware group claimed the attack and posted data. A consolidated class action settlement received preliminary approval on February 24, 2026 with a final fairness hearing on June 23, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 21, 2024
Concord Orthopaedics notified by its third-party patient check-in vendor (Clearwave) that an unauthorized actor may have accessed the patient registration software
Nov 21, 2024
Attacker gained access
Mar 25, 2025
Notification letters mailed to affected patients; substitute notice posted; filings submitted to HHS OCR and the New Hampshire and Massachusetts Attorneys General (67,835 NH residents; 1,517 MA residents)
Mar 25, 2025
Disclosed publicly
Apr 1, 2025
First class action filed: Montambeault v. Concord Orthopaedics Professional Association in New Hampshire Superior Court
Jun 1, 2025
Four additional class action complaints filed and consolidated into Montambeault, et al. v. Concord Orthopaedics Professional Association in Hillsborough County Superior Court
Feb 24, 2026
Court grants preliminary approval of the proposed class action settlement
Mar 26, 2026
Settlement notices mailed to class members; settlement claim portal goes live at ConcordDataSettlement.com
Jun 23, 2026
Final fairness hearing scheduled at 10:00 a.m. in Hillsborough County Superior Court (300 Chestnut St., Manchester, NH 03101)
Nov 21, 2024
Concord Orthopaedics notified by its third-party patient check-in vendor (Clearwave) that an unauthorized actor may have accessed the patient registration software
Nov 21, 2024
Attacker gained access
Mar 25, 2025
Notification letters mailed to affected patients; substitute notice posted; filings submitted to HHS OCR and the New Hampshire and Massachusetts Attorneys General (67,835 NH residents; 1,517 MA residents)
Mar 25, 2025
Disclosed publicly
Apr 1, 2025
First class action filed: Montambeault v. Concord Orthopaedics Professional Association in New Hampshire Superior Court
Jun 1, 2025
Four additional class action complaints filed and consolidated into Montambeault, et al. v. Concord Orthopaedics Professional Association in Hillsborough County Superior Court
Feb 24, 2026
Court grants preliminary approval of the proposed class action settlement
Mar 26, 2026
Settlement notices mailed to class members; settlement claim portal goes live at ConcordDataSettlement.com
Jun 23, 2026
Final fairness hearing scheduled at 10:00 a.m. in Hillsborough County Superior Court (300 Chestnut St., Manchester, NH 03101)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Concord Orthopaedics Professional Association, a New Hampshire orthopedics and rheumatology practice headquartered in Concord, notified 72,815 patients on March 25, 2025 that their personal and protected health information had been exposed in a vendor-side ransomware attack carried out by the Everest ransomware group. The compromised system was a third-party patient check-in platform (Clearwave) used at the practice’s front desk to register patients and capture insurance information. Concord’s internal electronic health records system was hosted in a separate environment and was not accessed. The matter has progressed to a consolidated New Hampshire class action with a settlement currently before the court for final approval.
Timeline
- November 21, 2024 — Concord Orthopaedics is notified by its third-party patient check-in vendor (Clearwave) that an unauthorized actor may have accessed the software used to register patients for appointments. Concord engages external cybersecurity specialists and notifies federal law enforcement.
- March 25, 2025 — Concord begins mailing individual notification letters, posts a substitute notice on its website, and files with HHS OCR and the New Hampshire and Massachusetts Attorneys General. The New Hampshire AG filing (submitted by outside counsel Troutman Pepper Locke) reports 67,835 New Hampshire residents affected; the Massachusetts filing reports 1,517 residents affected.
- April 1, 2025 — The first class action complaint, Montambeault v. Concord Orthopaedics Professional Association, is filed in New Hampshire Superior Court (Case No. 217-2025-CV-00292).
- Mid-2025 — Four additional class actions are filed and consolidated in the Superior Court of Hillsborough County, New Hampshire, with twelve class representatives.
- February 24, 2026 — The court grants preliminary approval of the proposed class action settlement.
- March 26, 2026 — Settlement notices mailed to class members; the claim portal goes live at ConcordDataSettlement.com with a Unique ID and PIN for each class member.
- June 23, 2026 — Final fairness hearing scheduled at 10:00 a.m. (Superior Court of Hillsborough County, 300 Chestnut St., Manchester, NH 03101).
Exposed
According to the entity’s notice and the AG filings, the exposed information varies by individual but may include:
- Name
- Date of birth
- Social Security number
- Driver’s license or state identification number
- Health insurance information, including health plan beneficiary number, plan number, and eligibility information
- Appointment information, including appointment type, treating physician, and date and location of the appointment
The Everest ransomware group claimed the attack on its dark web leak site, asserting it had obtained Concord Orthopaedics data with records dating back to 2018. The combination of Social Security number plus driver’s license number is the high-risk pairing for new-account fraud and synthetic identity theft.
What Concord Orthopaedics is offering
Concord Orthopaedics arranged complimentary identity protection services for affected individuals upon notification. Under the proposed class action settlement, class members are eligible to claim:
- One year of CyEx Medical Shield Complete for all settlement class members. This medical-specific monitoring service includes $1 million in medical identity theft insurance and monitors for: healthcare insurance ID exposure, Medical Record Number (MRN) exposure, and unauthorized Health Savings Account (HSA) spending. Claims filed for minor children go to the child’s benefit (not the parent who filed).
- Reimbursement of documented, unreimbursed out-of-pocket losses caused by the breach, up to $3,000 per class member (receipts required; losses must have occurred between November 21, 2024 and July 8, 2026; amounts already reimbursed by third parties are excluded).
- Reimbursement for lost time spent responding to the breach (up to four hours at $25 per hour, maximum $100).
- Alternatively, a one-time cash payment currently estimated at approximately $50 per claimant, subject to claim volume. (Claimants choosing the alternate cash payment may not also claim lost time.)
Settlement payments can be distributed by PayPal, Venmo, Zelle, virtual prepaid card, or physical check.
Key settlement deadlines:
- Objection and exclusion (opt-out) deadline: May 26, 2026
- Claim submission deadline: July 8, 2026
- Final fairness hearing: June 23, 2026 at 10:00 a.m.
The settlement fund covers attorneys’ fees of $200,000 and service awards of $1,500 each to class representatives. Settlement administrator: Simpluris ([email protected]; 1-844-804-3481; P.O. Box 25226, Santa Ana, CA 92799-9958).
Class-action posture
The consolidated case is Montambeault, et al. v. Concord Orthopaedics Professional Association, Case No. 217-2025-CV-00292, pending in the Superior Court of Hillsborough County, New Hampshire. The complaints allege that Concord Orthopaedics failed to implement reasonable cybersecurity measures and oversight of its vendor and that, as a result, threat actors accessed sensitive personal and health information. The parties reached a settlement on a no-admission basis. The court granted preliminary approval on February 24, 2026, and the final approval hearing is scheduled for June 23, 2026.
Plaintiff firms publicly investigating or representing class members include Console & Associates, P.C.; Strauss Borrelli PLLC; Finkelstein, Blankinship, Frei-Pearson & Garber, LLP; Federman & Sherwood; Migliaccio & Rathod LLP; and Ahdoot & Wolfson, PC.
What to do if you may be affected
- Keep your Concord Orthopaedics notification letter. It controls your eligibility for the settlement and identifies which data elements were exposed for your specific record.
- Submit a settlement claim before July 8, 2026. The official site is concorddatasettlement.com. Even without out-of-pocket losses, you remain eligible for the cash payment, lost-time reimbursement, and one-year medical data monitoring.
- Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers and driver’s license numbers were in scope.
- File IRS Form 14039 (Identity Theft Affidavit) if you see signs of tax-refund fraud.
- Watch for medical identity theft. Review Explanation of Benefits statements for procedures or providers you do not recognize and dispute anything unfamiliar in writing.
- Be skeptical of unsolicited contact that references your Concord Orthopaedics care, appointment history, or this settlement. Threat actors and scam settlement-recovery firms routinely impersonate breach response teams.
- Stop the ongoing flow of your appointment and insurance data. HealthConsent files HIPAA restriction requests so the registration, insurance, and visit data exposed in this breach is not continuously re-shared.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory filing.
- Concord Orthopaedics Notice of Data Breach (PDF) — the entity’s substitute notice.
- Concord Orthopaedic Notifies Individuals of Security Incident (PR Newswire) — official press release.
- DataBreaches.net coverage of the notification and Everest attribution.
- HIPAA Journal: Class action settlement summary.
- Montambeault v. Concord Orthopaedics — official settlement website — case caption, court, case number, and key deadlines.
- ClassAction.org settlement article.
- JDSupra / Console & Associates: Concord Orthopaedics Notifies Patients of Data Breach.
- Becker’s Spine Review: New Hampshire orthopedic practice settles data breach lawsuit.
- ClaimDepot: Concord Orthopaedics Data Breach Class Action Settlement (fund allocation, payment options).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Concord Orthopaedics Notice of Data Breach (PDF)
- Concord Orthopaedic Notifies Individuals of Security Incident (PR Newswire)
- DataBreaches.net: Four months after learning of a vendor's breach, Concord notifies ~68,000 patients
- HIPAA Journal: Settlement Agreed to Resolve Class Action Data Breach Litigation Against Concord Orthopaedics
- Montambeault v. Concord Orthopaedics — Official Settlement Website
- ClassAction.org: Concord Orthopaedics Settlement Ends Class Action Lawsuit
- JDSupra / Console & Associates: Concord Orthopaedics Notifies Patients of Data Breach
- Becker's Spine Review: New Hampshire orthopedic practice settles data breach lawsuit
- ClaimDepot: Concord Orthopaedics Data Breach Class Action Settlement (fund allocation and payment options)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.