Central Texas Pediatric Orthopedics (CTPO) has reported a data breach affecting 140,000 individuals, resulting in the compromise of sensitive patient information. The incident is believed to be linked to the Qilin ransomware group.
What happened
According to information released by the law firm Levi & Korsinsky, LLP, Central Texas Pediatric Orthopedics became aware of a security incident impacting its network server on or around March 3, 2025. CTPO launched an investigation with third-party cybersecurity experts, which determined that an unauthorized party, the Qilin ransomware group, had gained access and exfiltrated sensitive personal and protected health information.
What's new
CTPO initially filed a notice with the Texas Attorney General's Office on March 6, 2025, indicating that at least 90,000 individuals were affected. Subsequently, on April 4, 2025, CTPO submitted a breach report to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), confirming that the incident impacted 140,000 individuals. CTPO is in the process of sending data breach notification letters to affected individuals. The law firm Levi & Korsinsky has also announced an investigation into the breach to explore potential compensation claims.
Why it matters
The breach potentially exposed a combination of sensitive personal and protected health information. According to the notice from Levi & Korsinsky, based on information and belief, this may include patient names, government-issued ID numbers (such as passports or state IDs), medical information, health insurance details, and dates of birth. The compromise of such comprehensive data places affected individuals at significant risk of identity theft, financial fraud, and other potential harms resulting from the misuse of their personal and health information.
What they're saying
Levi & Korsinsky, LLP, in their press release announcing the investigation, emphasized that data breaches can cause long-term damage and that companies may be held liable if they fail to adequately secure personal data. The firm is encouraging individuals who receive a data breach notification letter from CTPO to contact them to explore potential eligibility for compensation.
FAQs
How will affected individuals be notified?
Central Texas Pediatric Orthopedics is mailing data breach notification letters directly to individuals whose information may have been involved in the incident.
What should affected individuals do if they receive a notice?
Individuals receiving a notification letter should carefully review its contents, remain vigilant by monitoring their financial accounts and medical statements for suspicious activity, and consider exploring their legal rights regarding potential compensation, as suggested by investigating law firms.
Who is the Qilin ransomware group?
Qilin is a known cybercriminal ransomware group that targets organizations across various sectors, encrypting data and demanding payment for its release, often while also stealing sensitive information.
