PHI Compromised Due to Data Breaches at OrthoConnecticut, Empath Health and Bridgeway Center

OrthoConnecticut Data Breach

OrthoConnecticut has announced that the protected health information (PHI) of about 118,000 patients was exposed in an attack. OrthoConnecticut is a multi-specialty orthopedic company located in Danbury, CT that has 9 centers in the area. It recently discovered unauthorized access to its system and upon inquiry by the forensic group, the unauthorized third party accessed the network between November 24, 2023 , and November 28, 2023. In that period, the attacker possibly extracted files from the network that included patients’ PHI.

OrthoConnecticut carried out a detailed assessment of all files on the system to find out which patients were impacted. It was affirmed on March 27, 2024, that the PHI of 118,141 individuals was compromised. The types of data affected differed from one patient to another and potentially included complete names combined with at least one of these information: Social Security number, birth date, and medical details like physician’s name, patient account number, laboratory test results, and patient background. OrthoConnecticut mentioned it had undertaken a lot of safeguards before the incident to secure patient records, including constantly tracking and changing its protocols and internal settings, and will keep on doing so.

Empath Health Data Breach

Empath-Stratum Inc., which is also called Empath Health in Florida, has reported the exposure of the PHI of 5,545 individuals in a data security breach. The non-profit company discovered unauthorized access to its internal system on February 27, 2024, quickly took action to protect its system and investigated the nature and extent of the breach. The investigation showed that an unauthorized third party got access to accounts from February 26 to February 27, 2024. One account was accessed from December 5 to December 6, 2023.

The analysis of the breached accounts revealed that they included patient data. The types of information in the accounts differed from one patient to another and contained names, birth dates, patient identifiers, treatment data, and some care expenses. There was no report received involving cases of attempted or actual identity theft and fraud during the sending of notifications. Empath Health reported that it implemented more technical security steps, and is reviewing policies, protocols, and HIPAA training for employees to avoid identical occurrences later on.

Bridgeway Center Encounters Cyberattack

Behavioral health services provider Bridgeway Center, Inc. based in Florida has affirmed that attackers acquired access to its network and possibly acquired the personal PHI of 36,353 people. Suspicious activity was discovered inside its system on February 21, 2024, and a cybersecurity and incident response provider conducted a forensic investigation to find out the nature and extent of the attack. On March 18, 2024, the first investigation into the breach confirmed that the breached systems included client and worker data. The information is currently being analyzed to mail the notifications.

Bridgeway Center has affirmed that these types of client data were compromised: names, military ID numbers, student ID numbers, medical insurance data, financial help data, medical record numbers, therapist/doctor notes, diagnosis information, mental/physical conditions, prescription details, medical procedure data, dates of service, dates of death, Medicaid/Medicare ID numbers, sickness certificates, and medical billing data. For workers, the breached data contains names, birth dates, Social Security numbers, financial account numbers, and driver’s license numbers/state-issued ID card numbers. Bridgeway Center stated security measures were improved to stop identical incidents later on and the impacted persons are being provided free credit monitoring and identity theft protection services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at