Access Sports Medicine & Orthopaedics, an orthopedic practice with locations across New Hampshire, has disclosed that hackers broke into its network and stole personal records belonging to roughly 88,000 patients. The stolen data includes Social Security numbers, medical records, and financial information, a combination that gives criminals nearly everything they need to commit identity theft, insurance fraud, or targeted phishing scams.
Three separate government filings, reviewed in May 2026, confirm the breach’s scope and severity. According to secondary reporting consistent with the verified facts, suspicious network activity persisted for days before the provider identified the compromise, a delay that may have given attackers extended access to sensitive patient files. That claim has not been confirmed in any of the primary regulator records.
What government records show
The federal HIPAA breach reporting tool, maintained by the U.S. Department of Health and Human Services Office for Civil Rights, lists the incident as a hacking/IT event affecting 88,000 individuals. The entry identifies the breached data’s location as a network server and classifies the provider as a healthcare entity, placing the event in the category of external cyberattacks rather than insider theft or accidental exposure.
A formal breach notification filed with the Maine Attorney General’s office puts the total at 88,044 affected individuals. Maine requires companies to report breaches that touch even a single state resident, so the filing also captures the geographic spread of the incident beyond New Hampshire.
A third record from the Massachusetts data breach database, logged under breach number 2024-1642, confirms that 4,431 Massachusetts residents were affected. That dataset independently verifies the compromised data types: Social Security numbers, medical information, and financial data. The fact that three separate regulatory bodies name the same provider, cite consistent totals, and agree on the breach category leaves little room for doubt about the incident’s authenticity.
Why this combination of stolen data is so dangerous
A stolen credit card number can be canceled in minutes. A Social Security number cannot. The SSA does allow replacement numbers in extreme identity theft cases, but the process is rare and difficult. For the 88,044 people caught up in this breach, that means the exposure is essentially permanent.
When Social Security numbers are paired with medical records and financial details, the risk multiplies. Criminals can open credit lines, file fraudulent tax returns to claim refunds, or submit fake insurance claims using a patient’s real treatment history. Medical identity theft is particularly insidious because false diagnoses or fabricated treatments can end up in a patient’s health file, potentially complicating future care, insurance approvals, or disability evaluations.
Fraudsters may also attempt to reroute legitimate insurance reimbursements, impersonate patients to obtain prescription drugs, or use the stolen financial data to drain bank accounts. The depth of detail in these records gives attackers a detailed profile of each patient’s life, one that can be exploited immediately or sold on underground markets for others to use months or years later.
Key questions that remain unanswered
Despite the three government filings, several critical details are still missing. None of the public-facing regulator records specify the exact date the intrusion began, when the provider discovered it, or how long the gap between discovery and patient notification lasted. Secondary accounts describe suspicious activity persisting for days before detection, but that timeline is not directly confirmed in the downloadable government data. Without firm timestamps, it is difficult to measure how long attackers had unrestricted access to the network.
“We take the security of our patients’ information very seriously,” is the kind of boilerplate language healthcare providers typically issue after a breach, but as of June 2026, Access Sports Medicine & Orthopaedics has not released a detailed public statement explaining the timeline, the attack method, or the specific remediation steps it has taken. That silence leaves patients to piece together what happened from regulator filings alone.
The method of attack is also unresolved. The filings classify the event broadly as hacking or an external system breach, but they do not specify whether the attackers exploited a software vulnerability, used stolen credentials, or deployed ransomware. That distinction matters beyond this single incident: if the breach stemmed from a flaw in a widely used third-party system, other similarly sized medical practices could face the same exposure and may need to apply urgent patches.
It is also unclear whether law enforcement has identified suspects or linked the intrusion to a known criminal group. Many healthcare breaches are carried out by financially motivated actors who quickly sell stolen data, but some involve targeted extortion. Without investigative updates, patients should assume the stolen information could circulate broadly.
Whether Access Sports Medicine & Orthopaedics is offering credit monitoring or identity protection services to affected patients cannot be confirmed from the regulator datasets alone. The Maine filing framework typically requires companies to describe remediation steps, but the public summary does not always reproduce those details.
A pattern that keeps repeating at smaller practices
This breach fits a troubling pattern in healthcare cybersecurity. Large hospital systems typically operate centralized security operations centers with round-the-clock monitoring. Smaller specialty practices, including orthopedic and sports medicine clinics, often rely on part-time IT staff or outsourced managed service providers with less continuous oversight. If the multi-day detection gap described in secondary reporting is accurate, it aligns with a broader trend in which resource-constrained providers discover intrusions later and lose more records as a result.
“Smaller practices are often the softest targets because they have the same valuable data as large hospital networks but a fraction of the security budget,” is how cybersecurity professionals frequently describe the disparity. The full HHS breach portal dataset is publicly downloadable, and researchers have used it to compare discovery-to-submission intervals across provider sizes and specialties. The data consistently shows that smaller entities tend to report longer windows between intrusion and detection. For patients, that pattern translates directly into greater risk: every additional day an attacker spends inside a network is another day to locate, copy, and exfiltrate sensitive files.
What affected patients should do now
Anyone who has been a patient of Access Sports Medicine & Orthopaedics should check their mail for a breach notification letter. If one has not arrived, contact the practice directly to confirm whether your records were involved.
Beyond that, these steps can help limit the damage:
- Place a credit freeze. Contact Equifax, Experian, and TransUnion to freeze your credit files. The process is free and blocks new accounts from being opened using your stolen information.
- Set up fraud alerts. A fraud alert requires creditors to verify your identity before issuing new credit. You only need to contact one bureau, and it will notify the other two.
- Monitor your IRS tax transcripts. Stolen Social Security numbers are frequently used to file fraudulent tax returns. Check your IRS account online for any filings you did not authorize.
- Review bank and credit card statements regularly. Enable transaction alerts so you are notified of any unusual activity in real time.
- Use strong, unique passwords for any online portals tied to your healthcare or insurance accounts. If you reused a password across multiple sites, change it immediately.
Patients whose Social Security numbers were exposed should treat this as a long-term threat, not a one-time event. Credit monitoring is helpful, but a credit freeze is the single most effective step to prevent new accounts from being opened in your name.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
