Orthopaedic Specialists of Connecticut Data Breach (2025): 22,541 Patients Exposed in INC RANSOM Ransomware Attack
Orthopaedic Specialists of Connecticut (OSC), a Brookfield-based orthopedic practice, notified 22,541 patients on April 23, 2025 of a March 2, 2025 ransomware attack claimed by the INC RANSOM group. Names, dates of birth, Social Security numbers, health insurance ID numbers, and medical information were exposed. A $5M+ class action was filed in the U.S. District Court for the District of Connecticut on May 6, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 2, 2025
Unauthorized actor accesses Orthopaedic Specialists of Connecticut's network environment; OSC takes steps to secure the network and engages third-party forensic incident response specialists
Mar 2, 2025
OSC detects the unauthorized network activity the same day access occurred and begins its investigation
Apr 14, 2025
INC RANSOM ransomware group claims responsibility on its dark web leak site, asserting it obtained OSC data
Apr 23, 2025
OSC files breach notification with the HHS Office for Civil Rights (22,541 affected), posts substitute notice on ctorthopaedic.com/data-security, and begins mailing individual notification letters offering 12 months of complimentary credit monitoring and identity theft protection
Apr 23, 2025
Disclosed publicly
May 6, 2025
Mancini v. Orthopaedic Specialists of Connecticut filed in U.S. District Court for the District of Connecticut, seeking damages in excess of $5 million on behalf of more than 22,000 patients
Mar 2, 2025
Unauthorized actor accesses Orthopaedic Specialists of Connecticut's network environment; OSC takes steps to secure the network and engages third-party forensic incident response specialists
Mar 2, 2025
OSC detects the unauthorized network activity the same day access occurred and begins its investigation
Apr 14, 2025
INC RANSOM ransomware group claims responsibility on its dark web leak site, asserting it obtained OSC data
Apr 23, 2025
OSC files breach notification with the HHS Office for Civil Rights (22,541 affected), posts substitute notice on ctorthopaedic.com/data-security, and begins mailing individual notification letters offering 12 months of complimentary credit monitoring and identity theft protection
Apr 23, 2025
Disclosed publicly
May 6, 2025
Mancini v. Orthopaedic Specialists of Connecticut filed in U.S. District Court for the District of Connecticut, seeking damages in excess of $5 million on behalf of more than 22,000 patients
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Orthopaedic Specialists of Connecticut (OSC), an orthopedic practice headquartered in Brookfield, Connecticut with an additional location in Stamford, notified 22,541 patients on April 23, 2025 that their personal and protected health information had been exposed in a ransomware attack carried out by the INC RANSOM group. The unauthorized actor accessed OSC’s network environment on March 2, 2025, and INC RANSOM later claimed the attack on its dark web leak site. A federal class action was filed in the U.S. District Court for the District of Connecticut on May 6, 2025, alleging negligence and seeking damages in excess of $5 million.
Timeline
- March 2, 2025 — An unauthorized actor accesses OSC’s network environment. OSC detects the activity the same day, takes immediate steps to secure the network, and engages a specialized third-party forensic incident response firm to investigate the scope of the intrusion.
- April 14, 2025 — INC RANSOM claims responsibility on its dark web leak site, asserting it obtained data from OSC.
- April 23, 2025 — OSC files a breach notification with the HHS Office for Civil Rights reporting 22,541 affected individuals in a Hacking/IT Incident at a Network Server, posts a substitute notice at ctorthopaedic.com/data-security, and begins mailing individual notification letters offering 12 months of complimentary credit monitoring and identity theft protection.
- May 6, 2025 — Mancini v. Orthopaedic Specialists of Connecticut is filed in the U.S. District Court for the District of Connecticut by named plaintiff Marisa Mancini of Danbury, seeking damages in excess of $5 million on behalf of a putative class of more than 22,000 patients.
Exposed
According to OSC’s substitute notice and individual notification letters, the exposed information varied by individual but may include:
- First name and last name
- Date of birth
- Social Security number
- Health insurance ID number
- Medical information
OSC stated that the types of data involved differed from individual to individual and that not every affected person had all of the listed elements exposed. The combination of Social Security number plus date of birth is the high-risk pairing for new-account fraud and synthetic identity theft. Because INC RANSOM is a data-extortion ransomware group that has historically posted exfiltrated files when victims do not pay, the exposed data should be treated as having left the network.
What Orthopaedic Specialists of Connecticut is offering
OSC arranged complimentary identity protection services for all potentially impacted individuals at no cost. The package includes:
- 12 months of credit monitoring.
- 12 months of identity theft protection services.
- A dedicated call center at 1-844-534-6032, open Monday through Friday, 8:00 a.m. to 8:00 p.m. ET, excluding holidays.
OSC has also said it is enhancing the technical safeguards in its network environment to reduce the likelihood of a similar incident.
Class-action posture
The federal class action is Mancini v. Orthopaedic Specialists of Connecticut, filed May 6, 2025 in the U.S. District Court for the District of Connecticut. Named plaintiff Marisa Mancini, a Danbury resident, is represented by Jeremy C. Virgil of Zeldes, Needle & Cooper PC in Bridgeport and Paul J. Doolittle of Poulin, Willey, Anastopoulo in Charleston, South Carolina.
The complaint pleads five causes of action: negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Connecticut Unfair Trade Practices Act. The complaint alleges that OSC’s breach notice “obfuscated the nature of the breach and the threat it posed” by refusing to tell current and former patients how many people were impacted, how the breach happened, or why notification was delayed.
Plaintiff firms publicly investigating or representing class members include Zeldes, Needle & Cooper PC; Poulin, Willey, Anastopoulo; Strauss Borrelli PLLC; Migliaccio & Rathod LLP; Srourian Law Firm; and Shamis & Gentile P.A.
What to do if you may be affected
- Keep your OSC notification letter. It identifies which data elements were exposed for your specific record and includes the enrollment code for the complimentary credit monitoring and identity theft protection.
- Enroll in the 12-month credit monitoring and identity theft protection before the activation deadline on your letter. There is no cost.
- Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers were in scope, so a freeze is the highest-leverage step against new-account fraud.
- File IRS Form 14039 (Identity Theft Affidavit) if you see signs of tax-refund fraud.
- Watch for medical identity theft. Health insurance ID numbers were exposed. Review Explanation of Benefits statements for procedures or providers you do not recognize and dispute anything unfamiliar in writing.
- Be skeptical of unsolicited contact referencing your OSC care, appointment history, or this incident. INC RANSOM and other threat actors routinely follow ransomware attacks with phishing and impersonation of breach response teams.
- Stop the ongoing flow of your treatment and insurance data. HealthConsent files HIPAA restriction requests so the diagnoses, insurance, and visit data exposed in this breach is not continuously re-shared.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory filing.
- Orthopaedic Specialists of Connecticut — Notice of Data Security Incident — the entity’s substitute notice.
- HIPAA Journal coverage of the OSC and DATS breaches.
- Becker’s Spine Review: OSC suffers data breach affecting 22,000 individuals.
- Hartford Business Journal: Brookfield-based OSC faces $5M class action lawsuit over data breach — class action filing, plaintiff name and city, plaintiff firms, damages sought.
- Connecticut Law Tribune / Law.com: OSC Hit With Data Breach Class Action.
- Paubox: OSC breach impacts 22,541 — INC RANSOM attribution and dark web posting date.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Orthopaedic Specialists of Connecticut — Notice of Data Security Incident
- HIPAA Journal: Orthopaedic Specialists of Connecticut & DATS in Pennsylvania Announce 22K-Record Data Breaches
- Becker's Spine Review: Orthopaedic Specialists of Connecticut suffers data breach affecting 22,000 individuals
- Hartford Business Journal: Brookfield-based Orthopaedic Specialists of CT faces $5M class action lawsuit over data breach
- Connecticut Law Tribune / Law.com: Orthopaedic Specialists of Connecticut Hit With Data Breach Class Action
- Paubox: Orthopaedic Specialists of Connecticut breach impacts 22,541
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.