Active breach tracker Englewood, CO Disclosed May 1, 2026

Western Orthopaedics Data Breach 2026 (PEAR Ransomware): 113,330 Denver-Area Patients Exposed. 1.7 TB Stolen and Leaked. What To Do

Western Orthopaedics, P.C., a Denver-area orthopaedic surgery group founded in 1938, disclosed in May 2026 a September 2025 ransomware attack by the PEAR group. Approximately 1.7 TB exfiltrated including patient PII, PHI, financial records, and email mailboxes. 113,330 affected. Data was not paid for and was leaked. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 17, 2025

Unauthorized access began

Oct 2, 2025

Western Orthopaedics identifies the security incident

Oct 4, 2025

PEAR group claims responsibility on Tor leak site

Mar 3, 2026

Forensic data review concludes; PII/PHI confirmed

May 1, 2026

Filed with HHS OCR (113,330 affected)

May 5, 2026

Individual notification letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Phone number Financial account / credit-debit card number (including security codes for some records) Health insurance information Plan / subscriber ID Medical provider name Dates of service Medical cost and billing information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating) Shamis & Gentile (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Western Orthopaedics, P.C. is a Denver-area orthopaedic surgery group founded in 1938 and headquartered at 500 E. Hampden Avenue, Suite 400, Englewood, Colorado. It operates a physical-therapy location at 1830 Franklin Street, Denver, and is staffed by roughly seven surgeons (Drs. Baran, Bazaz, Eby, Hatzidakis, Parks, Sears, and White) plus PT clinicians.

Between September 17 and 25, 2025, an unauthorized third party accessed Western Orthopaedics’ network. The practice identified the security incident on October 2, 2025. On October 4, 2025, the PEAR (“Pure Extortion and Ransom”) cyber-extortion group claimed responsibility on its dark-web leak site, asserting that roughly 1.7 TB of data had been exfiltrated — including patient PII and PHI, financial records, HR data, partner and vendor data, payment data, mailbox and email contents, and database exports.

Western Orthopaedics did not pay the demanded ransom. PEAR subsequently leaked the stolen data on its Tor site. The forensic review of which patients were affected concluded on March 3, 2026. Western Orthopaedics filed with the US Department of Health and Human Services Office for Civil Rights on May 1, 2026 (113,330 affected) and began mailing individual notification letters approximately May 5, 2026.

State AG filings reported so far: Texas (363 residents), Massachusetts (46 residents).

What was stolen

The compromised data includes:

  • Full name, home address, phone number, date of birth
  • Social Security number
  • Financial account / credit-debit card numbers (for some records, including security codes, access codes, or passwords)
  • Health insurance information (plan / subscriber ID)
  • Medical provider name
  • Dates of service
  • Medical cost and billing information

The inclusion of payment-card security codes and financial-account passwords is unusual and significantly more severe than a typical healthcare-breach exposure profile.

What Western Orthopaedics is offering

Complimentary credit monitoring and identity protection via Epiq: one-bureau credit monitoring with alerts, dark-web monitoring, credit-freeze assistance, change-of-address monitoring, and identity-restoration support. The enrollment duration was not specified in the public sample notice (typically 12 or 24 months for Epiq packages).

  • Dedicated response line: 855-815-3938 (Monday to Friday, 8 a.m. to 8 p.m. Central)

What to do if you received a notification letter

This week:

  1. Enroll in Epiq monitoring through the enrollment code in your letter.
  2. Place free credit freezes at Equifax, Experian, and TransUnion.
  3. File IRS Form 14039 to prevent fraudulent tax-return filings.
  4. Cancel and reissue any payment cards referenced in your Western Orthopaedics billing history — payment-card data with security codes is among the most directly fraud-usable elements in this dataset.
  5. Change passwords on any account that may have shared a password with information stored in your Western Orthopaedics records.

This month:

  1. Stop the ongoing flow of your orthopaedic data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the orthopaedic-treatment and demographic data exposed in this breach is not continuously re-shared by downstream entities. Because PEAR published the dataset, your record is already in the wild.
  2. Document any out-of-pocket losses. Two plaintiffs’ firms (Federman & Sherwood, Shamis & Gentile) are publicly investigating. A federal complaint in D. Colorado is expected.

Frequently asked questions

Was my data really published?

Yes. PEAR’s pattern is to publish exfiltrated data when ransom is not paid. The group’s Tor leak listing for Western Orthopaedics remained active at last review.

Should I sue?

No federal class action has been filed as of mid-May 2026, but two plaintiffs’ firms are publicly investigating. The notification just went out in early May, so a class action in D. Colorado (Denver division) is expected within weeks.

Is HealthConsent affiliated with Western Orthopaedics?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.