Cunningham Prosthetic Care Discloses 2025 Email Breach Exposing SSNs and Health Data

Cunningham Prosthetic Care LLC, a family‑owned prosthetic and orthotic practice in Saco, Maine, detected unauthorized access to one of its employee email accounts on October 22, 2025. The intrusion remained undetected while the attacker reviewed messages and attachments for several months. External cybersecurity consultants were engaged to trace the activity and determine what data had been viewed or exfiltrated.

- The compromised email account was accessed on or about October 22, 2025. - Investigators concluded on March 4, 2026 that the accessed files contained personally identifiable information (full names, dates of birth, Social Security numbers, driver’s license numbers) and protected health information (medical treatment details, diagnostic codes, medical record numbers, health insurance data). - The company notified the Massachusetts Office of Consumer Affairs and Business Regulation on May 1, 2026 and posted a public notice on its website. - A dedicated toll‑free line (1‑833‑877‑4472) was made available for 90 days to assist affected individuals.

The incident illustrates how a single compromised credential can lead to exposure of both PII and PHI, triggering state breach‑notification obligations and potential HIPAA considerations. Although the exact number of affected individuals has not been disclosed, the combination of SSNs and health data increases risk of identity theft and medical fraud. The delay between discovery and regulator notification reflects the time required to scope the breach accurately.

- Enforce multi‑factor authentication on all email and remote access services to prevent use of stolen passwords (MITRE T1078). - Implement anomalous login detection (e.g., impossible travel, new device) and alert on suspicious email forwarding rules (MITRE T1114). - Regularly review and purge unnecessary data from mailboxes; apply retention limits to reduce the volume of PII/PHI stored in email. - Conduct phishing‑resistant training and simulate credential‑harvesting attempts to lower the chance of initial compromise. - Ensure encryption of PHI at rest and in transit, and maintain up‑to‑date patches for email servers and related software (refer to CVE‑2023‑23397 for Outlook privilege escalation as an example of a relevant advisory).