Cunningham Prosthetic Care Data Breach Exposes Social Security Numbers and Medical Records

Healthcare data breach illustration
Breach Discovery: 22nd October 2025Breach Notification: 1st May 2026

What Happened in the Cunningham Prosthetic Care Data Breach?

Cunningham Prosthetic Care LLC, a family-owned prosthetic and orthotic practice based in Saco, Maine, has disclosed a data breach affecting thousands of patients. The Cunningham Prosthetic Care data breach centered on a compromised company email account. According to the company, an unauthorized individual may have gained access to the account on or about Oct. 22, 2025.

The practice discovered the intrusion on that same date. However, understanding exactly what happened next took considerable time. Because email accounts often contain years of accumulated messages and attachments, determining the scope of exposure required a careful, methodical review.

As a result, Cunningham Prosthetic Care brought in outside cybersecurity professionals to investigate. These experts specialize in handling incidents like this one. Their work involved reviewing the contents of the compromised account and identifying which files may have been affected.

The investigation took several months to complete. On March 4, 2026, more than four months after the breach was first discovered, investigators determined that the affected files contained both personal information and protected health information. This finding prompted the company to begin notifying regulators and affected individuals.

Who was affected?

The breach affected patients of Cunningham Prosthetic Care whose information was stored in or referenced by the compromised email account. In total, the company determined that 2,523 individuals across the United States were affected.

Because Cunningham Prosthetic Care is a healthcare provider, the affected population likely includes current and former patients who received prosthetic or orthotic care. In addition, the breach may have touched records containing sensitive medical details tied to treatment history. The company has not disclosed whether any employees were also affected, so patients should assume they are the primary group at risk.

What Information Was Potentially Exposed?

The investigation identified several categories of sensitive information within the compromised email account. This mix of personal and health-related data makes the incident particularly serious for those affected.

  • Full names
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Medical treatment and diagnostic information
  • Medical record numbers
  • Health insurance information

This combination of data creates meaningful risk. For example, Social Security numbers and driver’s license numbers are often enough on their own to open new credit accounts or file fraudulent tax returns. When combined with a full name and date of birth, criminals have nearly everything needed to impersonate a victim.

Meanwhile, the exposure of medical treatment information and health insurance details raises the risk of medical identity theft. This means someone could use a victim’s insurance information to obtain treatment or equipment under their name. Consequently, unfamiliar charges could show up on medical bills or insurance statements without the victim ever visiting a provider.

What is the company doing?

In response to the breach, Cunningham Prosthetic Care worked closely with external cybersecurity professionals throughout the investigation. This partnership helped the company determine the scope of the compromise and identify which individuals were affected. Once that work was complete, the company reported the incident to the Massachusetts Office of Consumer Affairs and Business Regulation and to the U.S. Department of Health and Human Services, beginning May 1, 2026.

In addition, Cunningham Prosthetic Care posted a notice about the incident on its website and began directly notifying affected individuals. The notification included guidance on best practices for protecting personal and medical information. The company also set up a dedicated toll-free response line, available for 90 days, so affected individuals can ask questions or request more information.

What Should Affected Individuals Do?

Place a Fraud Alert or Credit Freeze

Given that Social Security numbers and driver’s license numbers were exposed, affected individuals should strongly consider placing a fraud alert on their credit files. This can be done by contacting just one of the three major credit bureaus, since that bureau is required to notify the other two.

For even stronger protection, individuals can place a security freeze on their credit reports. This step prevents new credit, loans, or services from being approved in someone else’s name without explicit authorization. Because freezes can be lifted temporarily when needed, they offer strong protection without permanently blocking legitimate credit activity.

Monitor Credit Reports Regularly

Affected individuals should request free credit reports at AnnualCreditReport.com. Reviewing these reports carefully can help catch unfamiliar accounts or unauthorized inquiries early.

Because identity thieves sometimes wait months before using stolen data, ongoing monitoring matters just as much as an initial check. Therefore, individuals should consider checking their reports periodically over the coming months, not just once, to catch any suspicious activity as soon as it appears.

Review Medical and Insurance Records

Because medical record numbers and health insurance information were exposed, affected individuals should review their Explanation of Benefits statements closely. Any unfamiliar medical services or charges could indicate that someone else is using their insurance information.

If something looks off, individuals should contact their insurance company or care provider right away. Catching medical identity theft early can prevent inaccurate information from ending up in a person’s permanent medical record, which can otherwise be difficult and time-consuming to correct.

Stay Alert for Phishing Attempts

Scammers often use data breach notifications as bait for phishing schemes. As a result, affected individuals should watch for suspicious emails, calls, or texts that reference Cunningham Prosthetic Care or this breach by name.

Legitimate companies rarely ask for sensitive information over unsolicited communications. If anyone receives a message asking to confirm personal details or click a suspicious link, they should verify it independently before responding. Reporting suspected identity theft to the Federal Trade Commission and filing a police report, when appropriate, can also help limit further damage.



More Information

Official Notice from Cunninghamprostheticcare

Official Notice from Mass

HHS Office for Civil Rights Breach Notification Portal

Official Notice from Cunninghamprostheticcare

Related Data Breaches