Western Orthopaedics Data Breach 2026 (PEAR Ransomware): 113,330 Denver-Area Patients Exposed. 1.7 TB Stolen and Leaked. What To Do
Western Orthopaedics, P.C., a Denver-area orthopaedic surgery group founded in 1938, disclosed in May 2026 a September 2025 ransomware attack by the PEAR group. Approximately 1.7 TB exfiltrated including patient PII, PHI, financial records, and email mailboxes. 113,330 affected. Data was not paid for and was leaked. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 17, 2025
Unauthorized access began
Oct 2, 2025
Western Orthopaedics identifies the security incident
Oct 4, 2025
PEAR group claims responsibility on Tor leak site
Mar 3, 2026
Forensic data review concludes; PII/PHI confirmed
May 1, 2026
Filed with HHS OCR (113,330 affected)
May 5, 2026
Individual notification letters mailed
Sep 17, 2025
Unauthorized access began
Oct 2, 2025
Western Orthopaedics identifies the security incident
Oct 4, 2025
PEAR group claims responsibility on Tor leak site
Mar 3, 2026
Forensic data review concludes; PII/PHI confirmed
May 1, 2026
Filed with HHS OCR (113,330 affected)
May 5, 2026
Individual notification letters mailed
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Western Orthopaedics, P.C. is a Denver-area orthopaedic surgery group founded in 1938 and headquartered at 500 E. Hampden Avenue, Suite 400, Englewood, Colorado. It operates a physical-therapy location at 1830 Franklin Street, Denver, and is staffed by roughly seven surgeons (Drs. Baran, Bazaz, Eby, Hatzidakis, Parks, Sears, and White) plus PT clinicians.
Between September 17 and 25, 2025, an unauthorized third party accessed Western Orthopaedics’ network. The practice identified the security incident on October 2, 2025. On October 4, 2025, the PEAR (“Pure Extortion and Ransom”) cyber-extortion group claimed responsibility on its dark-web leak site, asserting that roughly 1.7 TB of data had been exfiltrated — including patient PII and PHI, financial records, HR data, partner and vendor data, payment data, mailbox and email contents, and database exports.
Western Orthopaedics did not pay the demanded ransom. PEAR subsequently leaked the stolen data on its Tor site. The forensic review of which patients were affected concluded on March 3, 2026. Western Orthopaedics filed with the US Department of Health and Human Services Office for Civil Rights on May 1, 2026 (113,330 affected) and began mailing individual notification letters approximately May 5, 2026.
State AG filings reported so far: Texas (363 residents), Massachusetts (46 residents).
What was stolen
The compromised data includes:
- Full name, home address, phone number, date of birth
- Social Security number
- Financial account / credit-debit card numbers (for some records, including security codes, access codes, or passwords)
- Health insurance information (plan / subscriber ID)
- Medical provider name
- Dates of service
- Medical cost and billing information
The inclusion of payment-card security codes and financial-account passwords is unusual and significantly more severe than a typical healthcare-breach exposure profile.
What Western Orthopaedics is offering
Complimentary credit monitoring and identity protection via Epiq: one-bureau credit monitoring with alerts, dark-web monitoring, credit-freeze assistance, change-of-address monitoring, and identity-restoration support. The enrollment duration was not specified in the public sample notice (typically 12 or 24 months for Epiq packages).
- Dedicated response line: 855-815-3938 (Monday to Friday, 8 a.m. to 8 p.m. Central)
What to do if you received a notification letter
This week:
- Enroll in Epiq monitoring through the enrollment code in your letter.
- Place free credit freezes at Equifax, Experian, and TransUnion.
- File IRS Form 14039 to prevent fraudulent tax-return filings.
- Cancel and reissue any payment cards referenced in your Western Orthopaedics billing history — payment-card data with security codes is among the most directly fraud-usable elements in this dataset.
- Change passwords on any account that may have shared a password with information stored in your Western Orthopaedics records.
This month:
- Stop the ongoing flow of your orthopaedic data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the orthopaedic-treatment and demographic data exposed in this breach is not continuously re-shared by downstream entities. Because PEAR published the dataset, your record is already in the wild.
- Document any out-of-pocket losses. Two plaintiffs’ firms (Federman & Sherwood, Shamis & Gentile) are publicly investigating. A federal complaint in D. Colorado is expected.
Frequently asked questions
Was my data really published?
Yes. PEAR’s pattern is to publish exfiltrated data when ransom is not paid. The group’s Tor leak listing for Western Orthopaedics remained active at last review.
Should I sue?
No federal class action has been filed as of mid-May 2026, but two plaintiffs’ firms are publicly investigating. The notification just went out in early May, so a class action in D. Colorado (Denver division) is expected within weeks.
Is HealthConsent affiliated with Western Orthopaedics?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Sample Notification Letter (PDF mirror)
- Western Orthopaedics Homepage
- HIPAA Journal: May 2026 Healthcare Provider Breaches Coverage
- Becker's Spine: Colorado Orthopedic Practice Suffers Data Breach
- ClassAction.org: Western Orthopaedics Case Page
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.