Cunningham Prosthetic Care Breach Exposes SSNs and Medical Records After Six‑Month Investigation

TL;DR: On October 22, 2025, Cunningham Prosthetic Care discovered an email account compromise that later exposed names, birth dates, Social Security numbers, driver’s license numbers, and medical details of an undisclosed number of individuals. The six‑month investigation concluded on March 4, 2026, confirming the data included both personal and protected health information.

Context Cunningham Prosthetic Care LLC, a family‑owned prosthetic and orthotic practice in Saco, Maine, first noticed the breach on October 22, 2025. The company reported the incident to the Massachusetts Office of Consumer Affairs and Business Regulation on May 1, 2026 and posted a notice on its website. The breach originated from a single compromised email account that an unauthorized party may have accessed on or about the discovery date.

Key Facts Investigators worked with external cybersecurity professionals for more than four months to determine the scope. By March 4, 2026 they confirmed that the affected files may have contained both personally identifiable information and protected health information. Exposed data included full names, birth dates, Social Security numbers, driver’s license numbers, medical treatment and diagnostic details, medical record numbers, and health insurance information. The total number of affected individuals has not been disclosed. The company set up a toll‑free response line at 1-833-877-4472, available weekdays from 8 a.m. to 8 p.m. Eastern for 90 days.

What It Means The exposure of Social Security numbers and health information raises the risk of identity theft, insurance fraud, and targeted phishing. Affected individuals should monitor credit reports and consider placing fraud alerts. Regulators may review whether the clinic met HIPAA safeguards, and further guidance from the HHS Office for Civil Rights could follow. What to watch next: any updates on potential misuse of the data, additional breach notices, and possible enforcement actions.

Mitigations Organizations should enforce multi‑factor authentication on all email and cloud accounts to mitigate credential theft (MITRE ATT&CK T1078). Implementing anomalous login detection and reviewing mailbox access logs can help spot unauthorized activity early (T1078.003). Regular phishing awareness training reduces the likelihood of initial compromise via spearphishing (T1566.001). Finally, encrypting sensitive data at rest and in transit limits the value of any exfiltrated information.