Western Orthopaedics Just Sent 113,330 Patients a Letter—Their Social Security Numbers, Passwords, and Full Medical Histories Are on PEAR's Leak Site

An Eight Day Intrusion in September, a Notification in May

Western Orthopaedics is a Colorado specialty practice—the kind of mid size clinic that handles joint replacements, sports injuries, and pain management for tens of thousands of patients across a regional footprint. According to the breach notification it filed, the unauthorized access to the practice's network occurred between September 17 and 25 of 2025. The clinic noticed the intrusion on October 2 and engaged outside counsel and a forensic firm. The file by file review of what the attacker actually exfiltrated took until March 3, 2026—five months of paid forensic work to reconstruct exactly which records left the building.

The answer turned out to be most of them. 113,330 individuals are affected. The compromised data, by the clinic's own enumeration, includes:

• Full names, residential addresses, phone numbers, and dates of birth
• Social Security numbers
• Passwords
• Financial account information
• Health insurance details
• Medical dates of service and billing information

The presence of cleartext or recoverable passwords in a healthcare records dataset is the unusual detail. Most patient portal stacks hash passwords before storage, which means either the attacker was inside long enough to access an authentication endpoint and capture plaintext on the way in, or the clinic was storing credentials in a way that should not have survived an Internal audit. The notification letter is not specific about which, but the inclusion of "passwords" as a discrete category of compromised data signals that any patient who reused their Western Orthopaedics portal password anywhere else should treat that password as burned.

PEAR Is a Nine Month Old Crew With a 41 Day Dwell Time

PEAR—the public name reads Pure Extraction And Ransom—first surfaced on August 5, 2025. The crew's self description, posted to their leak site, is that they are a "responsible and disciplined" team that targets organizations with weak security practices. The "responsible" framing is marketing for victim organizations trying to decide whether to pay. The substance, as documented by threat intelligence researchers, is the standard data extortion playbook: gain access, sit quiet, exfiltrate selectively, then ransom the dataset.

Between August 2025 and February 2026, PEAR claimed 57 distinct victims. The sector breakdown is uneven: 31 in Business Services, 17 in Healthcare, 6 in Manufacturing, 6 in Financial Services, and 5 in Technology. 53 of the 57 are U.S. based. The crew's most useful technical signature is the 41 day average dwell time between initial access and public listing on their leak portal. Western Orthopaedics is consistent with that profile—the attacker was inside for eight days in September, the clinic disclosed it in October, and PEAR posted the data on their leak portal months later when negotiations broke down.

PEAR's typical initial access vector, according to tracking by threat intelligence platforms, is credential compromise via phishing or exploitation of unpatched third party integrations and APIs. That maps neatly onto the healthcare practice attack surface, where small clinics tend to outsource billing, scheduling, EHR hosting, and patient portal infrastructure to a half dozen different SaaS vendors. Any one of those integrations is a viable entry point.

Three Other Practices Disclosed the Same Week

Western Orthopaedics' notification is one of four healthcare breach disclosures that landed in the same week. The pattern is worth holding against the Western Orthopaedics specifics:

• Community Health Systems (California) — Suspicious activity identified February 28, 2026. Compromised data includes names, SSNs, driver's license numbers, diagnoses, prescriptions, Medicare and Medicaid IDs, and provider names. Number of affected individuals not yet disclosed.
• Tri-Cities Gastroenterology (Tennessee) — Security incident on December 11, 2025. File review completed April 22, 2026. The Insomnia threat group claimed responsibility and leaked the data after the ransom was not paid. Compromised data includes names, SSNs, dates of birth, and medical record numbers.
• Integrated Pain Associates (Texas) — Unauthorized access on February 24, 2026. Compromised data includes names, addresses, SSNs, driver's license numbers, diagnoses, medications, and financial account information. File review still in progress at notification time.

Four practices. Four different threat actor attributions. Four different initial access dates spread across six months. One common thread: the notification window between intrusion and patient notice is now consistently four to eight months, during which the affected patients have no idea their data is in motion.

Healthcare Is PEAR's Second Sector for a Reason

Healthcare ranks second only to business services on PEAR's victim list, and the dynamic is the same across the broader extortion economy. Healthcare practices have three properties that make them disproportionately attractive to ransomware and extortion crews:

• High value records, low security spend. A complete medical record sells for $250 to $1,000 on dark web markets—roughly 50x what a credit card record fetches. Most independent practices spend less than 2% of revenue on cybersecurity, against an industry average closer to 6% in other sectors of comparable record value.
• Compliance pressure favors payment. HIPAA breach disclosure carries reputational and regulatory consequences that can shutter a small practice. Crews like PEAR know this, and structure their ransom asks to be a fraction of the projected breach response cost.
• Fragmented attack surface. A typical practice has ten to twenty external SaaS dependencies—patient scheduling, e prescribing, billing, EHR, telehealth, IVR, patient portal, secure messaging. Each is a credential boundary the attacker can phish or exploit. The Western Orthopaedics intrusion took eight days; in a hospital environment that boundary count would be higher, and so would the dwell.

What Patients in the 113,330 Should Do Now

If you have been a Western Orthopaedics patient at any point, the practice is offering complimentary credit monitoring and identity theft protection. Take it—the enrollment window is usually 12 to 24 months and there is no cost. Beyond that, the leaked dataset is going to be a feed into downstream attacks for the next several years. Concrete next steps:

• Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion all offer free credit freezes online. With your SSN on a public leak site, anyone can attempt to open accounts in your name. A freeze blocks new credit applications until you explicitly thaw it.
• Rotate the password you used on the Western Orthopaedics portal—everywhere. If you reused it for email, banking, or any account that contains money or messages, treat all of those as exposed and change them. Use a password manager so the next rotation is the last one you have to do manually.
• Set up multi factor authentication on your primary email account today. The leaked dataset can be used to attempt password resets on your email; once an attacker has your email, they have the keys to most other accounts you own. The 149 million Gmail credentials leaked in January tell you what an attacker does with this kind of dataset once they get it.
• Expect health insurance phishing emails for the next 90 days. The dataset includes your insurance carrier, plan ID, and date of last service. An attacker can craft a believable "claim denial" or "explanation of benefits" email that references real treatment details. Do not click links in these emails; log directly into your insurer's portal instead.

The phishing risk is the part that is most likely to land. AI-powered phishing campaigns are up 1,200% year over year in 2026, and a leaked dataset with real medical context is exactly the input that lets a generative model produce believable, individualized lures at scale. The PEAR dataset is not the attack. It is the raw material the next attack will be built from.

The Disclosure Lag Is the Real Story

The most uncomfortable detail in the Western Orthopaedics notice is the gap between when the attacker was inside (mid-September 2025) and when the affected patients learned about it (May 2026). Eight months. During those eight months, the dataset was in motion on PEAR's infrastructure, then on the broader extortion market once the ransom window closed, then on whatever criminal mirror sites have copied it since. The notification arrived after the data had already begun circulating.

That eight month lag is not unique to Western Orthopaedics. It is structural. Forensic file by file analysis of a compromised network takes months. Counsel needs to vet the disclosure language. State and federal regulators need to be notified in sequence. The clinic's insurance carrier wants the timeline reviewed. The result is a healthcare breach disclosure cadence that runs roughly half a year behind the actual intrusion—which means the patients whose data is being weaponized today have, in many cases, not yet received the letter telling them.

If you have been a healthcare patient anywhere in the United States in the past three years, the operational assumption that you should make is that your records have already been exposed in at least one breach—whether or not you have received a letter. Behave accordingly: freeze your credit, lock down your email with multi factor, never click a link in an unsolicited email about your medical care, and assume the next phishing campaign aimed at you will know more about your health than you would like.