On August 25, 2022, EmergeOrtho reported a data breach with the various state attorney generals’ offices after the company learned it was the target of a ransomware attack. According to EmergeOrtho, the breach resulted in the first and last names, addresses, Social Security numbers, and dates of birth of certain individuals being compromised. After confirming the breach and identifying all affected parties, EmergeOrtho began sending out data breach letters to the 75,200 people whose information was compromised in the recent incident.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the EmergeOrtho data breach, please see our recent piece on the topic here.
What We Know About the EmergeOrtho Data Breach
The information about the EmergeOrtho data breach comes from the company’s official filing with the Attorney General of Maine. According to the company’s most recent disclosures, on May 18, 2022, EmergeOrtho determined that the company had been targeted in a recent ransomware attack in which an unauthorized third party accessed some of EmergeOrtho’s computer systems. In response, the company secured its systems and launched an investigation into the incident with the help of third-party cybersecurity specialists.
On August 19, 2022, the company’s investigation confirmed that an unauthorized third party accessed certain personal information belonging to EmergeOrtho patients as a result of the incident.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, EmergeOrtho began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your first and last name, address, Social Security number, and date of birth.
On August 25, 2022, EmergeOrtho sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The company currently estimates that 75,200 people were affected by the data breach.
More Information About EmergeOrtho
EmergeOrtho is one of the largest orthopedic healthcare providers in the United States. Founded in 2016 and based in Durham, North Carolina, the company was created when four of North Carolina’s top orthopedic practices combined in 2016. Currently, EmergeOrtho has 45 outpatient offices in more than 21 counties across North Carolina, including in the following regions: Asheville & Blue Ridge Region, Coastal Region, Foothills Region, Triad Region, and Triangle Region. EmergeOrtho employs more than 1,000 people and generates approximately $228 million in annual revenue.
Ransomware Attacks Are One of the Top Causes of Data Breaches in 2022
Historically, ransomware attacks have always been one of the most common types of cyberattacks. And based on the most recent data, this continues to be the case. In fact, an estimated 189 million people fell victim to ransomware attacks in 2021 alone. Given the prevalence of these cyberattacks, it is important for all consumers—but especially those who have had their information compromised in a recent data breach—to understand the risks of a ransomware attack and what can be done to reduce the chances of identity or other frauds.
As a general matter, a ransomware attack occurs when a hacker or other bad actor installs malware on a victim’s computer. Hackers usually orchestrate these attacks by sending a phishing email to an employee in hopes of getting the employee to click on a malicious link that downloads the malware onto their computer. Once the victim’s device is infected with malware, it encrypts some or all of the files on the computer and may spread to the company’s network. The hackers then send the company a message, demanding a ransom if the company wants to regain access to the device or network. In theory, once the victim organization pays the ransom, the hackers decrypt their computer, which ends the attack—from the company’s perspective.
There is, however, a new type of ransomware attack in which the hackers who carry out the attack threaten to publish any exfiltrated data if the ransom goes unpaid. Companies do not want to be seen as putting money over the privacy of their customers’ information, so this adds to the incentive to pay a ransom. Not surprisingly, these new ransomware attacks have been very successful.
While there is no evidence that the consumer data stolen during the EmergeOrtho data breach has made its way to the dark web, it remains a possibility. Once on the dark web, criminals can bid on the data, which they can then use to commit identity theft and other frauds. Of course, while companies that are targeted in a ransomware attack are victims in some sense, the real victims of these attacks are the consumers whose information ends up in the hands of those looking to commit fraud.
Companies not only have the resources to pay the occasional ransom, but they also have the ability and responsibility to implement robust data security systems designed to prevent these attacks in the first place. Victims of a data breach who would like to learn more about how to reduce the risk of identity theft or learn about their options to hold the company that leaked their information accountable should contact a data breach lawyer as soon as possible.