Almeida Law Group is investigating a data breach at Orrstown Bank. The breach occurred on 09/17/2025 and was discovered on 05-21-2026. If you were affected, contact Almeida Law Group.
About Orrstown Bank
Orrstown Bank is a community bank and wholly-owned subsidiary of Orrstown Financial Services, Inc. (NASDAQ: ORRF), founded in 1919 and headquartered in Harrisburg, Pennsylvania. It offers personal banking, commercial and residential lending, deposit services, wealth management, and financial advisory services, operating over 45 locations across Pennsylvania and Maryland. Because the bank handles sensitive financial and personal data for its customers, a breach affecting that information carries meaningful risks of identity theft and financial fraud.
What Happened?
Orrstown Bank was listed in a Maine Attorney General filing dated June 11, 2026. The incident is classified as an external system breach (hacking), and approximately 83,938 individuals were affected. Consumers were notified on June 11, 2026. The data that could have been compromised includes names, dates of birth, addresses, Social Security numbers or individual tax identification numbers, account numbers, and government ID numbers such as driver’s license or passport numbers, as stated in Orrstown’s notification letter.
The breach did not originate within Orrstown Bank’s own systems. The hacking incident occurred at Mercadien, P.C. CPAs, a third-party accounting and advisory firm based in Hamilton, New Jersey, that Orrstown used for advisory services. Mercadien discovered the breach on November 7, 2025, but did not notify Orrstown Bank until May 21, 2026—more than eight months after the initial intrusion and more than six months after Mercadien’s own discovery. Orrstown disclosed the vendor cybersecurity incident to the SEC via Form 8-K on May 31, 2026. Mercadien’s broader breach affected approximately 402,741 individuals across multiple client organizations and has already generated class action litigation in New Jersey federal court, including Johnson v. Mercadien, P.C., CPAs (3:26-cv-02012, filed February 25, 2026) and a separate proposed class action filed by Anthony Delgado, both alleging inadequate security measures and delayed notification. Attorneys are also separately investigating whether a class action can be filed on behalf of Orrstown Bank customers specifically. This is not Orrstown’s first incident: in July 2018, a phishing scam exposed information belonging to more than 50,000 customers. No specific threat actor or ransomware group has been publicly attributed to the current breach.
Key Facts at a Glance
- Company or Organization: Orrstown Bank
- Industry: Financial Services / Community Banking
- Location: 4750 Lindle Road, Harrisburg, Pennsylvania 17111
- Incident type: External system breach (hacking) at third-party vendor Mercadien, P.C. CPAs
- Date of breach: September 17, 2025
- Date breach discovered: May 21, 2026 (date Orrstown was notified by Mercadien)
- Date of consumer notification: June 11, 2026
- Total persons affected: Approximately 83,938
- Identity theft protection offered: Yes — Experian IdentityWorks, 24 months
- Prior breach: Yes — July 2018 phishing incident affecting 50,000+ customers
- Litigation status: Class action investigation underway for Orrstown Bank customers; class actions already filed against Mercadien in New Jersey federal court (Johnson v. Mercadien, 3:26-cv-02012; Delgado v. Mercadien)
- Source: Maine AG Filing; ClassAction.org – Orrstown Bank; ClassAction.org – Mercadien; Johnson v. Mercadien – Law.com Radar
What Should You Do?
If you received a notice from Orrstown Bank, consider enrolling in the free 24-month Experian IdentityWorks membership offered in the letter—follow the instructions in your notice and enroll before the deadline provided with your activation code. Beyond that, you can place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) to make it harder for someone to open new accounts in your name. Monitor your bank and financial accounts closely for any unauthorized activity, and review your credit reports at AnnualCreditReport.com for any unfamiliar accounts or inquiries. If you believe your information has already been misused, visit IdentityTheft.gov to create a personalized recovery plan.
Your Legal Rights
If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
