Hit Twice, Told Once: The Greater Pittsburgh Orthopaedic Associates Breach Raises Hard Questions About Healthcare Cybersecurity

Greater Pittsburgh Orthopaedic Associates (GPOA), Pittsburgh's oldest continuously operating orthopedic surgery practice, recently disclosed a data breach that affected 56,954 individuals across the United States. The breach, attributed to the ransomware group RansomHouse, exposed patient names, mailing addresses, Social Security numbers, and provider information. But beneath the surface of this already alarming incident lies a much more troubling story -- one that involves possible repeat attacks, a delayed notification timeline that stretched nearly six months, and lingering questions that GPOA has so far declined to answer.

This is the kind of incident that should serve as a wake-up call for healthcare organizations of every size. And for patients, it is a stark reminder that your data is only as safe as the weakest link in your provider's security chain.

The Timeline: What Happened and When

According to filings with multiple state attorneys general offices and reporting from DataBreaches.net, here is what we know about how the GPOA breach unfolded:

On August 9, 2025, unauthorized individuals accessed GPOA's computer network. The breach was detected the following day, August 10, 2025, according to GPOA's own notification letters and HHS filing. (Some secondary sources, including the class action complaint, cite August 22 as the discovery date, which may reflect when GPOA's forensic investigation confirmed the scope of the breach rather than the initial detection event.) Ten days later, on August 20, the ransomware group RansomHouse claimed responsibility for the attack on its dark web leak site, posting what it described as proof of the data it had obtained. The group's listing indicated that GPOA's systems had been encrypted -- a claim that GPOA's own notification letters did not acknowledge, describing the event only as unauthorized access.

On August 27, 2025, GPOA reported the incident to the U.S. Department of Health and Human Services (HHS), initially estimating that 35,000 patients had been affected. That number would later be revised significantly upward.

It was not until February 5, 2026 -- nearly six months after the breach was detected -- that individual notification letters were mailed to affected patients. And it was only in February 2026 filings with the attorneys general of Maine, Massachusetts, and Vermont that the revised total of 56,954 affected individuals was disclosed.

The Notification Gap: A Recurring Problem in Healthcare

Under the HIPAA Breach Notification Rule, covered entities are required to notify affected individuals of a breach without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach, as stated by HHS in its official guidance on breach notification requirements.

GPOA detected the breach on August 10, 2025. Notification letters were not sent until February 5, 2026. That is approximately 180 days -- three times the maximum window permitted under HIPAA.

Now, there can be legitimate reasons for notification delays. Law enforcement may request a delay to avoid compromising an ongoing investigation. A complex forensic investigation may take time to determine the full scope of affected individuals. And in fairness, GPOA did report to HHS within the 60-day window, even if with an initial estimate that proved to be significantly lower than the final count.

According to the HIPAA Journal, noncompliance with the Breach Notification Rule was the second most common reason for financial penalties assessed by HHS's Office for Civil Rights in 2025, trailing only risk analysis failures. In 2025, OCR closed 21 HIPAA cases with settlements or civil monetary penalties, five of which included penalties specifically for breach notification failures.

The delayed notification in the GPOA case is something that regulators, and the courts, will likely scrutinize closely.

Was This the Second Attack? The DonutLeaks Question

What makes the GPOA situation particularly concerning is that the August 2025 RansomHouse attack may not have been the first time the organization was targeted.

The DonutLeaks site eventually went offline, and GPOA never appeared to respond publicly to the claims. The alleged 2024 incident does not appear on HHS's public breach tool, which raises a significant question: if DonutLeaks did obtain real patient data in 2024, would that not constitute a reportable breach under HIPAA?

DataBreaches.net reported that it emailed GPOA's external counsel at Pierson Ferdinand LLP with three direct questions: whether GPOA confirmed or refuted RansomHouse's claims, what the correct number of affected patients is given the discrepancy between the August 2025 HHS filing and the February 2026 state attorney general filing, and what GPOA did in response to the 2024 DonutLeaks claims. As of publication, the email was read but no reply was received.

Who Is RansomHouse -- and What Is the Iran Connection?

RansomHouse is a data extortion and ransomware group that first appeared in December 2021. It is known for a double-extortion model, but with a notable distinction from many ransomware operations: the group frequently skips file encryption entirely and focuses solely on data theft T1657

, threatening to publish or sell stolen data if demands are not met. When it does encrypt, it has been observed using variants based on the leaked Babuk ransomware codebase T1486

T1486

Data Encrypted for Impact

Adversaries encrypt data to interrupt availability or hold it for ransom. Babuk-based variants are commonly deployed in healthcare sector attacks.

. This data-theft-first approach can make intrusions stealthier and lead to longer dwell times, since no encryption event triggers the immediate alarms that full ransomware deployment would.

The group has targeted organizations across healthcare, manufacturing, critical infrastructure, education, and government. It typically gains initial access by exploiting vulnerabilities in public-facing applications T1190

-- Citrix NetScaler, Palo Alto GlobalProtect, and VPN appliances are among the most commonly documented entry points -- and deploys tools including Cobalt Strike and Mimikatz T1003

T1003

OS Credential Dumping

Mimikatz is used to dump credentials from Windows memory (LSASS), enabling lateral movement with valid account credentials.

for lateral movement T1021

T1021

Remote Services

Cobalt Strike Beacon enables lateral movement across networks using remote service protocols including SMB, WMI, and RDP.

and credential harvesting T1078

T1078

Valid Accounts

Once credentials are harvested, adversaries use them to move laterally and access encrypted systems without triggering decryption alarms.

once inside a network.

One important nuance: a 2024 CISA/FBI/DC3 joint advisory identified an Iran-based threat group known as Pioneer Kitten (also tracked as Fox Kitten) that has operated as an access broker T1583

, selling network access to ransomware affiliates including RansomHouse. This means Iran-linked actors have facilitated some RansomHouse attacks by providing initial network footholds -- but RansomHouse itself is not an Iranian group. The advisory noted that Pioneer Kitten conducted this activity without disclosing its Iranian affiliation and appeared to keep it hidden from its ransomware contacts. Whether Pioneer Kitten played any role in the GPOA incident is unknown.

Reports from 2024 and 2025 describe RansomHouse evolving from a closed private operation toward a hybrid ransomware-as-a-service (RaaS) model, selectively recruiting affiliate partners to expand its reach. The group has continued to claim victims into late 2025 and early 2026, including healthcare organizations, manufacturers, and educational institutions across multiple countries.

In the GPOA case, RansomHouse posted its claim on August 20, 2025, and included a proof pack with sample data T1041

. The listing was never updated, which DataBreaches.net noted leaves open the question of whether the stolen data was ever leaked, sold, or whether GPOA engaged in any negotiation with the group. Notably, GPOA's own February 2026 notification letter to patients made no mention of ransomware or any extortion attempt -- describing the incident only as "unauthorized access" to its network.

Healthcare Under Siege: The Bigger Picture

The GPOA breach is not an isolated incident. It is one data point in what has become an epidemic of ransomware groups targeting healthcare -- a pattern that shows no sign of slowing. The playbook of ransomware operators hitting multiple industries in rapid succession has become normalized, with healthcare consistently among the highest-value targets due to the sensitivity of its data and the operational pressure to restore systems quickly.

According to Black Fog's 2025 State of Ransomware Report, healthcare was the most targeted sector in 2025, accounting for 22% of disclosed ransomware attacks. Disclosed ransomware attacks across all sectors increased 49% year-over-year to a record-high of 1,174 attacks, while undisclosed attacks surged 37%, with over 7,000 victims posted on dark web leak sites.

Data exfiltration occurred in 96% of ransomware attacks in 2025, meaning that in nearly every case, attackers stole data before encrypting systems. T1005

Sophos's State of Ransomware in Healthcare 2025 report painted a nuanced picture. On one hand, healthcare organizations are getting better at stopping attacks before encryption occurs -- only 34% of attacks resulted in data encryption in 2025, down from 74% the prior year, with 53% of providers now able to halt an attack before it reaches the encryption stage. On the other hand, attackers are adapting. The proportion of healthcare organizations that experienced extortion-only attacks -- where data is stolen and a ransom demanded without any encryption -- tripled from 4% in 2022/2023 to 12% in 2025, the highest rate recorded across the study's five-year history.

According to the American Hospital Association's 2025 Cybersecurity Year in Review, 100% of hacked healthcare data in recent major breaches was unencrypted -- either because stolen credentials gave attackers access to encrypted systems without needing to break the encryption, or because the data was stored in an unencrypted state outside of electronic health record systems. The financial impact is staggering. The average cost of a healthcare data breach in 2025 was $7.42 million, according to Black Fog's report. While ransom demands in healthcare have actually declined -- dropping from a median of $4 million in 2024 to $343,000 in 2025, with actual payments falling from $1.47 million to just $150,000 -- the total cost of recovery, regulatory exposure, and legal liability continues to mount.

The Legal Fallout

GPOA is already facing legal consequences. On August 29, 2025, the law firm Shub Johns & Holbrook filed a class action lawsuit against GPOA on behalf of individuals affected by the breach. The suit alleges potential harm from the exposure of sensitive personal and health information.

On October 21, 2025, the Pennsylvania Court of Common Pleas for Allegheny County consolidated related actions and appointed interim co-lead counsel for the plaintiffs. A consolidated amended complaint was ordered to be filed by November 21, 2025.

Additional law firms including Migliaccio & Rathod LLP and Srourian Law Firm have also launched investigations into the breach, seeking to identify affected individuals who may be entitled to compensation.

For GPOA -- a practice with multiple orthopedic specialists and seven office locations across the Pittsburgh metro area -- the combined weight of regulatory scrutiny, class action litigation, and reputational damage could be significant.

How to Protect Yourself: Steps Affected Patients Should Take Now

If you are a current or former patient of GPOA, here are steps you should take immediately:

1. Review the notification letter carefully. GPOA indicated that compromised data may include your name, mailing address, Social Security number, and provider name. Understand exactly what was exposed.
2. Enroll in the credit monitoring services offered. GPOA has arranged credit report monitoring and credit score services through Cyberscout (TransUnion) for affected individuals. Take advantage of this even if you have not yet noticed suspicious activity.
3. Place a fraud alert or credit freeze. Contact each of the three major credit bureaus -- Equifax, Experian, and TransUnion -- to either place a fraud alert (free and lasts one year) or freeze your credit entirely (also free and remains in place until you lift it). A credit freeze prevents new accounts from being opened in your name.
4. Monitor your accounts and credit reports. Check your bank accounts, credit card statements, and explanation of benefits (EOB) statements from your health insurer for any unfamiliar activity. Medical identity theft can be harder to detect than financial fraud, so pay special attention to EOBs that list services or providers you do not recognize.
5. File your taxes early. Stolen Social Security numbers are frequently used for tax refund fraud. Filing early reduces the window for a criminal to file a fraudulent return in your name.
6. Report suspicious activity. If you notice signs of identity theft, report it to the Federal Trade Commission at IdentityTheft.gov, file a police report, and notify your financial institutions.

Lessons for Healthcare Organizations

The GPOA breach reinforces several critical lessons that apply to healthcare organizations of all sizes.

• Patch management cannot be optional. RansomHouse is known for exploiting vulnerabilities in public-facing applications T1190
  T1190
  Exploit Public-Facing Application
  Unpatched internet-facing systems — VPNs, remote access gateways, web applications — are the most common initial access vector in healthcare ransomware attacks.
  . Keeping systems patched and up to date is foundational to preventing these kinds of attacks.
• Incident response planning must include breach notification timelines. A six-month gap between detection and patient notification is not just a compliance issue -- it is a trust issue. Organizations need clear, practiced incident response plans that account for the regulatory requirement to notify within 60 days.
• If you have been breached before, assume you will be targeted again. The possibility that GPOA was hit by two different ransomware groups in the span of roughly 14 months is a cautionary tale. A prior compromise should trigger heightened monitoring, thorough remediation, and verification that the attacker's access has been fully eradicated. This also extends to third-party vendor trust -- a single weak link in the supply chain can expose thousands of records without the primary organization ever being the direct target.
• Data encryption strategy requires more than a checkbox. The AHA's reporting confirms that 100% of hacked healthcare data in recent major breaches was accessible to attackers without breaking encryption -- either through stolen credentials that unlocked encrypted systems, or because data was stored unencrypted outside of EHRs. Encrypting data at rest is necessary but not sufficient; organizations also need to audit where sensitive data actually lives across their entire environment and ensure that access to encrypted data is tightly controlled.
• Cybersecurity is a patient safety issue. When patient data is compromised, it is not just an IT problem. It can lead to identity theft, medical fraud, financial harm, and erosion of the trust that is essential to the patient-provider relationship.

The Bottom Line

The Greater Pittsburgh Orthopaedic Associates breach is a case study in many of the persistent failings that continue to plague healthcare cybersecurity: possible repeat compromises, delayed notifications, opaque communication, and a ransomware ecosystem that continues to view healthcare as a target-rich environment.

For the nearly 57,000 individuals whose data was exposed, the consequences are real and potentially long-lasting. For the healthcare industry as a whole, incidents like this should serve as an urgent reminder that cybersecurity investment is not a luxury -- it is a fundamental obligation to the patients who entrust providers with their most sensitive information.

The questions that DataBreaches.net posed to GPOA's counsel remain unanswered. Whether regulators, the courts, or the court of public opinion will eventually compel those answers remains to be seen. But one thing is clear: silence in the wake of a breach does not inspire confidence, and patients deserve better.

Frequently Asked Questions

What data was exposed in the GPOA breach?

The breach exposed patient names, mailing addresses, Social Security numbers, and provider information for 56,954 individuals. The attack was attributed to the ransomware group RansomHouse, which claimed responsibility on August 20, 2025.

Why did GPOA take six months to notify patients?

GPOA detected the breach on August 10, 2025 but did not mail patient notification letters until February 5, 2026 -- approximately 180 days later, or three times the 60-day maximum permitted under HIPAA. GPOA has not publicly explained the delay, and the matter is likely to face regulatory and legal scrutiny.

Was GPOA attacked twice?

Possibly. DataBreaches.net uncovered a May 2024 listing on the DonutLeaks dark web site claiming a breach of an organization matching GPOA's description and tagline. If that incident was real and unreported, the August 2025 RansomHouse attack may represent a second compromise within roughly 14 months -- raising serious questions about whether adequate remediation followed the first event.

Who is RansomHouse?

RansomHouse is a data extortion and ransomware group that first emerged in December 2021. It operates a double-extortion model -- often stealing data without encrypting systems -- and has targeted healthcare, manufacturing, critical infrastructure, and government organizations. A 2024 CISA advisory identified an Iran-linked access broker that has sold network footholds to RansomHouse affiliates, though RansomHouse itself is not an Iranian group.

Is there a class action lawsuit against GPOA?

Yes. A class action was filed on August 29, 2025 by Shub Johns & Holbrook LLP. On October 21, 2025, the Pennsylvania Court of Common Pleas for Allegheny County consolidated related actions and appointed interim co-lead counsel. Additional law firms including Migliaccio & Rathod LLP and Srourian Law Firm have also launched investigations into the breach.

What should GPOA patients do after this data breach?

Affected patients should review their notification letter, enroll in the credit monitoring GPOA arranged through Cyberscout (TransUnion), place a fraud alert or credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion), monitor bank and health insurance statements for unusual activity, file taxes early to reduce the risk of refund fraud, and report any suspected identity theft to IdentityTheft.gov.

Sources

• DataBreaches.net, "Greater Pittsburgh Orthopaedic Associates disclosed a 2025 breach, but was there also one in 2024?" (February 24, 2026)
• HIPAA Journal, "Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY" (February 2026)
• Paubox, "Greater Pittsburgh Orthopedic Associates hit by RansomHouse threat group" (February 2026)
• Teiss, "Greater Pittsburgh Orthopedic Associates data breach affected over 55,000 people" (2025)
• FortiGuard, "RansomHouse Ransomware -- Threat Actor" profile
• CISA/FBI/DC3, "Iran-Based Cyber Actors Enabling Ransomware Attacks on US Organizations" (Advisory AA24-241A, August 2024)
• SCILabs, "Threat Profile: RansomHouse" (December 2023)
• Sophos, "State of Ransomware in Healthcare 2025" (October 2025)
• American Hospital Association, "2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures" (October 2025)
• Black Fog, "The State of Ransomware 2025" (January 2026)
• HHS.gov, "Breach Notification Rule" guidance
• Shub Johns & Holbrook LLP, GPOA class action filing (August 29, 2025)
• ClaimDepot, "Greater Pittsburgh Orthopaedic Associates Data Breach" investigation (February 2026)
• SOCRadar, "Dark Web Profile: DonutLeaks" (November 2024)
• Maine Attorney General's Office, GPOA breach notification filing (February 2026)