Bone & Joint Experiences Data Security Incident

Bone & Joint Clinic experienced a data security incident that may have involved personal and protected health information belonging to current and former employees as well as current and former patients. Bone & Joint has notified potentially affected individuals of the incident and offered resources to assist them. 

On January 16, 2023, Bone & Joint experienced a network disruption and immediately initiated an investigation of the matter and engaged cybersecurity experts to assist with the process. The investigation determined that certain administrative and medical files may have been acquired without authorization. After a thorough review of those files, on or about January 27, 2023, personal information was identified as being contained within the potentially affected data. Once the personal information was identified, Bone & Joint worked diligently to gather contact information needed to notify all potentially affected individuals and engaged resources to provide notification and remediation services. 

Bone & Joint is not aware of any evidence of the misuse of any information potentially involved in this incident. However, on March 7, 2023, Bone & Joint provided notice of this incident to the potentially affected individuals. In doing so, Bone & Joint provided information about the incident and about steps individuals can take to protect their information. Bone & Joint takes the security and privacy of employee and patient information seriously and has taken steps to prevent a similar event from occurring in the future. 

Bone & Joint is offering all potentially affected individuals with complimentary identity protection services for 12 months through IDX, a leader in consumer identity protection. These services include dark web monitoring, a $1,000,000 identity theft insurance reimbursement policy, and fully managed identity theft recovery services. Those individuals whose Social Security numbers may have been affected have also been offered complimentary credit monitoring for 12 months. 

The following personal and protected health information may have been involved in the incident: names, dates of birth, Social Security numbers, home addresses, phone numbers, health insurance information, and diagnosis and treatment information.