Columbia Orthopaedic Group Data Breach–What You Need to Know & What to Do Next
Overview
Columbia Orthopaedic Group reported a cybersecurity incident after the LockBit 5 ransomware group claimed responsibility for an attack in late May 2026. The incident potentially exposed protected health information and personal data belonging to orthopedic patients across Missouri and the Midwest region.
Columbia Orthopaedic Group is a premier orthopedic and musculoskeletal (MSK) healthcare provider based in Columbia, Missouri. Since its founding in 1965, the group has delivered comprehensive orthopedic care to patients across Missouri and the Midwest. The practice employs 47 board-certified and fellowship-trained physicians spanning 16 specialties, including foot & ankle surgery, fracture care, hand surgery, hip surgery, knee surgery, pain management, shoulder surgery, spine surgery, and sports medicine.
The group operates a main clinic at 1 S Keene Street in Columbia and owns The Surgical Center at Columbia Orthopaedic Group, which opened in July 2008 and provides fully-equipped operating rooms for same-day orthopedic surgery. More than 26 surgeons perform procedures at the surgical center. The practice also offers comprehensive ancillary services including diagnostic imaging (X-ray, MRI, CT), outpatient surgery, PRP therapy, bracing, and orthotics.
According to ransomware threat intelligence, LockBit 5 posted Columbia Orthopaedic Group to its data leak site on June 11, 2026, with an estimated attack date of May 25, 2026. The group has not disclosed specific details about the types and volume of data allegedly stolen.
LockBit 5 has been one of the most prolific ransomware groups targeting healthcare organizations since its resurgence in late 2025. The group has claimed attacks across Windows, Linux, and ESXi environments in Europe, the Americas, and Asia, and has been particularly active in targeting healthcare providers.
What Information May Have Been Exposed In the Columbia Orthopaedic Group Data Breach?
As of this writing, specific details about the types and volume of data allegedly stolen have not been publicly disclosed. However, orthopedic practices typically maintain patient records including names, addresses, dates of birth, Social Security numbers, medical record numbers, insurance information, diagnoses, treatment and surgical records, prescription information, imaging files (X-rays, MRI scans), and billing and payment information.
Given the practice’s size and scope, the potential number of affected patients could be substantial, potentially including individuals treated for orthopedic conditions, sports injuries, joint problems, spine issues, and surgical procedures over many years.
How Columbia Orthopaedic Group Responded to the Breach?
As of this writing, Columbia Orthopaedic Group has not issued a public statement regarding the alleged ransomware attack. The practice has not confirmed the incident or provided details about its investigation or notification plans.
Healthcare providers that experience breaches involving protected health information are required to notify affected individuals, the U.S. Department of Health and Human Services, and in some cases the media, within specified timeframes under HIPAA. Missouri also has data breach notification laws that would apply to Columbia Orthopaedic Group.
How to Check If Your Personal Info Is Exposed
If you are a current or former patient of Columbia Orthopaedic Group or have received orthopedic care at the Columbia clinic or The Surgical Center at Columbia Orthopaedic Group, your protected health information and personal data may have been exposed in this breach.
Monitoring your accounts, reviewing credit reports and explanation of benefits statements, and watching for notification letters from Columbia Orthopaedic Group are crucial steps in assessing your potential exposure.
What You Can Do If Your Information Was Exposed
If your medical information may have been part of the Columbia Orthopaedic Group breach, review your financial accounts, credit reports, and medical explanation of benefits forms for any unfamiliar activity. Update account passwords, particularly for patient portals where you may have reused passwords.
Consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion). Be vigilant for signs of medical identity theft, including unexpected medical bills, explanation of benefits statements for orthopedic services you did not receive, or insurance claims for surgeries or treatments you did not undergo.
Be cautious of phishing attempts following this breach. Acting now can limit the long-term consequences and protect your personal, financial, and medical information.
Understanding Your Legal Rights: Data Breach Lawyer Near Me
Victims of data breaches may be entitled to legal remedies if a healthcare provider did not adequately safeguard their protected health information. Healthcare providers have heightened duties under HIPAA and state law to protect the sensitive medical and personal information they collect and maintain.
Almeida Law Group is actively reviewing the Columbia Orthopaedic Group incident to determine what legal options may be available for those affected.
If you are a patient of Columbia Orthopaedic Group or The Surgical Center at Columbia Orthopaedic Group and believe your medical information may have been exposed, you can contact Almeida Law Group for a free consultation.
