Cunningham Prosthetic Care, Maine, disclosed a data breach of personally identifiable information and protected health information to the Massachusetts Office of Consumer Affairs and Business Regulation on May 1. The breach, discovered in October 2025, included people in Iowa, Maryland, Massachusetts, New York, North Carolina, Oregon, Washington DC, and Rhode Island. The company did not disclose the number of individuals affected by the breach.
The breach centered on a compromised Cunningham Prosthetic Care email account, according to a post on the company’s website, in which an unauthorized individual may have gained access. As part of the investigation, the company worked with external cybersecurity professionals to determine the scope of the unauthorized access, review the contents of the compromised email account, and identify which files may have been affected.
The types of personally identifiable information exposed included full names, dates of birth, Social Security numbers, and driver’s license numbers. The types of protected health information exposed included medical treatment and diagnostic information, medical record numbers, and health insurance information, but the company noted that not all information was impacted for all individuals.
Cunningham Prosthetic Care said that there is currently no indication of any fraud as a result of the incident, but has notified individuals whose information was included in the files that may have been subject to unauthorized access by the third-party actor. Notified individuals have been provided with best practices to protect their information, and the company set up a dedicated toll-free response line to answer questions or provide additional information regarding the incident.
