Active breach tracker Brookfield, Connecticut Disclosed April 23, 2025

Orthopaedic Specialists of Connecticut Data Breach (2025): 22,541 Patients Exposed in INC RANSOM Ransomware Attack

Orthopaedic Specialists of Connecticut (OSC), a Brookfield-based orthopedic practice, notified 22,541 patients on April 23, 2025 of a March 2, 2025 ransomware attack claimed by the INC RANSOM group. Names, dates of birth, Social Security numbers, health insurance ID numbers, and medical information were exposed. A $5M+ class action was filed in the U.S. District Court for the District of Connecticut on May 6, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 2, 2025

Unauthorized actor accesses Orthopaedic Specialists of Connecticut's network environment; OSC takes steps to secure the network and engages third-party forensic incident response specialists

Mar 2, 2025

OSC detects the unauthorized network activity the same day access occurred and begins its investigation

Apr 14, 2025

INC RANSOM ransomware group claims responsibility on its dark web leak site, asserting it obtained OSC data

Apr 23, 2025

OSC files breach notification with the HHS Office for Civil Rights (22,541 affected), posts substitute notice on ctorthopaedic.com/data-security, and begins mailing individual notification letters offering 12 months of complimentary credit monitoring and identity theft protection

Apr 23, 2025

Disclosed publicly

May 6, 2025

Mancini v. Orthopaedic Specialists of Connecticut filed in U.S. District Court for the District of Connecticut, seeking damages in excess of $5 million on behalf of more than 22,000 patients

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

First name Last name Health insurance ID number Medical information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Zeldes, Needle & Cooper PC Poulin, Willey, Anastopoulo Strauss Borrelli PLLC Migliaccio & Rathod LLP Srourian Law Firm Shamis & Gentile P.A.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Orthopaedic Specialists of Connecticut (OSC), an orthopedic practice headquartered in Brookfield, Connecticut with an additional location in Stamford, notified 22,541 patients on April 23, 2025 that their personal and protected health information had been exposed in a ransomware attack carried out by the INC RANSOM group. The unauthorized actor accessed OSC’s network environment on March 2, 2025, and INC RANSOM later claimed the attack on its dark web leak site. A federal class action was filed in the U.S. District Court for the District of Connecticut on May 6, 2025, alleging negligence and seeking damages in excess of $5 million.

Timeline

  • March 2, 2025 — An unauthorized actor accesses OSC’s network environment. OSC detects the activity the same day, takes immediate steps to secure the network, and engages a specialized third-party forensic incident response firm to investigate the scope of the intrusion.
  • April 14, 2025 — INC RANSOM claims responsibility on its dark web leak site, asserting it obtained data from OSC.
  • April 23, 2025 — OSC files a breach notification with the HHS Office for Civil Rights reporting 22,541 affected individuals in a Hacking/IT Incident at a Network Server, posts a substitute notice at ctorthopaedic.com/data-security, and begins mailing individual notification letters offering 12 months of complimentary credit monitoring and identity theft protection.
  • May 6, 2025Mancini v. Orthopaedic Specialists of Connecticut is filed in the U.S. District Court for the District of Connecticut by named plaintiff Marisa Mancini of Danbury, seeking damages in excess of $5 million on behalf of a putative class of more than 22,000 patients.

Exposed

According to OSC’s substitute notice and individual notification letters, the exposed information varied by individual but may include:

  • First name and last name
  • Date of birth
  • Social Security number
  • Health insurance ID number
  • Medical information

OSC stated that the types of data involved differed from individual to individual and that not every affected person had all of the listed elements exposed. The combination of Social Security number plus date of birth is the high-risk pairing for new-account fraud and synthetic identity theft. Because INC RANSOM is a data-extortion ransomware group that has historically posted exfiltrated files when victims do not pay, the exposed data should be treated as having left the network.

What Orthopaedic Specialists of Connecticut is offering

OSC arranged complimentary identity protection services for all potentially impacted individuals at no cost. The package includes:

  • 12 months of credit monitoring.
  • 12 months of identity theft protection services.
  • A dedicated call center at 1-844-534-6032, open Monday through Friday, 8:00 a.m. to 8:00 p.m. ET, excluding holidays.

OSC has also said it is enhancing the technical safeguards in its network environment to reduce the likelihood of a similar incident.

Class-action posture

The federal class action is Mancini v. Orthopaedic Specialists of Connecticut, filed May 6, 2025 in the U.S. District Court for the District of Connecticut. Named plaintiff Marisa Mancini, a Danbury resident, is represented by Jeremy C. Virgil of Zeldes, Needle & Cooper PC in Bridgeport and Paul J. Doolittle of Poulin, Willey, Anastopoulo in Charleston, South Carolina.

The complaint pleads five causes of action: negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Connecticut Unfair Trade Practices Act. The complaint alleges that OSC’s breach notice “obfuscated the nature of the breach and the threat it posed” by refusing to tell current and former patients how many people were impacted, how the breach happened, or why notification was delayed.

Plaintiff firms publicly investigating or representing class members include Zeldes, Needle & Cooper PC; Poulin, Willey, Anastopoulo; Strauss Borrelli PLLC; Migliaccio & Rathod LLP; Srourian Law Firm; and Shamis & Gentile P.A.

What to do if you may be affected

  1. Keep your OSC notification letter. It identifies which data elements were exposed for your specific record and includes the enrollment code for the complimentary credit monitoring and identity theft protection.
  2. Enroll in the 12-month credit monitoring and identity theft protection before the activation deadline on your letter. There is no cost.
  3. Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers were in scope, so a freeze is the highest-leverage step against new-account fraud.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see signs of tax-refund fraud.
  5. Watch for medical identity theft. Health insurance ID numbers were exposed. Review Explanation of Benefits statements for procedures or providers you do not recognize and dispute anything unfamiliar in writing.
  6. Be skeptical of unsolicited contact referencing your OSC care, appointment history, or this incident. INC RANSOM and other threat actors routinely follow ransomware attacks with phishing and impersonation of breach response teams.
  7. Stop the ongoing flow of your treatment and insurance data. HealthConsent files HIPAA restriction requests so the diagnoses, insurance, and visit data exposed in this breach is not continuously re-shared.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.