Medical Device Maker Suffered Breach in March, Notified Potential Victims in Late June
Medical device company Compumedics USA may have suffered a breach that leaked personal information, including Social Security numbers among other things, a law firm investigating the incident said Friday. Multiple states also reported the breach recently.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"Although the breach occurred in February and March 2025, Compumedics did not begin notifying affected individuals until on or around June 27, 2025, which may have violated state and federal laws," law firm Schubert Jonckheer said in a press release. The firm is investigating the breach on behalf of potential victims.
Data exposed may include customers' demographic information, medical record numbers, diagnosis information and treatment information, Schubert Jonckheer said. Neither the law firm nor Compumedics mentioned the total number of people impacted by the breach.
The Compumedics website has a page notifying web visitors of the breach. It said the company "completed our investigation of, and data analysis for, the incident that disrupted the operations of our Information Technology (IT) systems" on May 13. The information the website said was leaked mirrors what the law firm had listed in its press release. Also, it gives the same date range for the breach that the law firm had. In addition, Compumedics said it "notified the health care providers whose patient information was involved on April 29, 2025."
The Maine attorney general's office reported the breach in May, saying that four Maine residents were affected. The Texas OAG also reported the breach on July 1, and said that 329 Texans were affected. New Hampshire reported the breach twice, on May 8 and June 27; the second notice contained more information, including that an estimated 15 state residents were impacted.
The law firm said Compumedics identified the breach March 22, and that the unauthorized third party had access between February 15 and March 23. However, a copy of the notification letter sent by the North Carolina-based company, included in the Maine AG's report, said the unauthorized actor accessed its network and took certain files between March 13 and March 24, and that a notification letter was sent to Maine residents on May 8.
In the above letter, the company said it "immediately took measures to secure our network and launched an investigation" after discovering the breach. It added that it's "implementing additional measures to enhance the security of our network and [is] continuing to train our employees concerning data security."