Fair Oaks Ortho Data Breach 2026: 1,544 Virginia Hand Surgery Patients Exposed via Email Compromise. What To Do
Fair Oaks Ortho P.C., a solo hand, wrist, elbow, and shoulder orthopedic practice in Fairfax, Virginia led by Dr. Stephen W. Pournaras, Jr., filed an HHS OCR breach in February 2026 affecting 1,544 patients via an email account compromise. Specific PHI categories not yet publicly disclosed. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 4, 2025
Attacker gained access
Dec 4, 2025
Breach detected
Feb 2, 2026
HHS OCR filing
Dec 4, 2025
Attacker gained access
Dec 4, 2025
Breach detected
Feb 2, 2026
HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Fair Oaks Ortho P.C. is a solo-surgeon orthopedic practice at 3998 Fair Ridge Drive, Suite 100, Fairfax, Virginia. The practice specializes in hand, wrist, elbow, and shoulder surgery, led by Dr. Stephen W. Pournaras, Jr., MD (board-certified orthopedic surgeon) with David Park, PA-C. The practice is single-location and near Inova Fair Oaks Hospital. Patient phone: 703.591.0077.
This is a distinct entity from OrthoVirginia Fair Oaks and Fair Oaks Orthopaedic Associates.
Fair Oaks Ortho filed with HHS OCR on February 2, 2026 — a Hacking/IT Incident at Email affecting 1,544 individuals. Under HIPAA’s 60-day notification rule, discovery was likely on or after early December 2025.
The OCR classification (“Hacking/IT Incident at Email”) at this scale is consistent with the textbook business email compromise (BEC) / phishing-driven mailbox takeover pattern. Specific compromise dates, dwell times, and the threat actor have not been publicly disclosed.
Why this page is sparse
As of mid-May 2026, no entity notice has been posted on handsurgeonfairoaks.com. No notice letter has been located via the Maine, California, or Massachusetts AG portals. No HIPAA Journal, Washington Post, or local Northern Virginia coverage has surfaced. Virginia’s AG breach notices are not publicly indexed in a searchable database (filings go to the OAG but are not routinely posted).
This is normal for a sub-2,500 BEC incident at a solo practice — these are typically OCR-only filings until a plaintiff firm picks them up.
If you receive a Fair Oaks Ortho notification letter, the letter will list the specific data elements involved in your case, the discovery date, and any monitoring services offered.
What was likely exposed
The PHI categories are not publicly disclosed. For an email-BEC incident at a solo orthopedic practice, the email account most likely contained a subset of:
- Full name
- Date of birth
- Address, contact information
- Health insurance information
- Treatment / diagnosis information
- Possibly Social Security number or financial information (if those appeared in mailbox attachments — referrals, intake forms, billing correspondence)
Read your specific notification letter for the confirmed data elements.
What to do
- Read your specific notification letter to confirm what data elements were involved in your case.
- Call the practice at 703.591.0077 if you have not received a letter but suspect you should have.
- Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
- Watch your insurance Explanation of Benefits statements for unfamiliar orthopedic claims.
- Stop the ongoing flow of your hand surgery data. HealthConsent files HIPAA restriction requests so the orthopedic treatment data exposed in this breach is not continuously re-shared.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.