Compliance

TriMed Reports Data Breach Involving Patient Information

By Daniel Lopez

TriMed reported unauthorized access to parts of its network that stored order forms and invoices between September 13, 2025, and September 21, 2025, and confirmed that some of the exposed files contained patient names, birth dates, and medical record numbers.

Incident Overview

Santa Clarita, California-based TriMed manufactures upper and lower orthopedic implants. The company identified suspicious activity affecting certain systems in September 2025 and initiated a forensic investigation to determine the nature and extent of the incident. The investigation determined that an unauthorized third party accessed parts of TriMed’s system from September 13, 2025, through September 21, 2025. The unauthorized third party potentially accessed and stole files in the breached system.

Data Exposed

A review of the exposed files confirmed that the documents contained information related to surgically implanted hardware. The exposed records included part type and associated installation components like screws and the name of the ordering surgeon. While the affected documents do not typically include personal information, TriMed reported that in certain cases the documents contained names, birth dates, and medical record numbers. The exposed documents did not include financial information such as bank account or credit or debit card numbers, or Social Security numbers.

Investigation and Response Measures

TriMed reported that it identified suspicious activity with certain systems in September 2025 and then conducted a forensic investigation to determine the scope of the access. The company stated that it has taken steps to strengthen existing security controls and threat detection practices. TriMed also integrated a global security operations center and indicated it will continue to update security measures as appropriate. TriMed reported the incident to law enforcement.

Notifications and Offered Services

TriMed informed the Maine Attorney General that two Maine residents were affected. The company stated that there was no request to delay notifications to affected individuals and that notification letters were sent as soon as possible once the affected individuals and data categories were identified. Although Social Security numbers were not involved, TriMed offered credit monitoring and identity theft protection services for 24 months according to the notification letter sent to the Maine Attorney General.

Regulatory and Public Reporting Status

The incident has not been added to the U.S. Department of Health and Human Services Office for Civil Rights website at the time of the notification. The data breach listing does not state the total number of individuals affected. No known threat group appears to have claimed responsibility for the attack.

Impacted Data and Operational Context

TriMed manufactures surgical implants to replace or repair damaged joints. The exposed order and invoice documentation reflected items that would have been ordered on a patient’s behalf and included device and surgical component details. The HIPAA-covered company confirmed that the majority of exposed data related to its hardware and the individuals who received it.

Image credit: bixpicture, AdobeStock / logo©Trimed

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

PHI Exposed Due to NYC Health + Hospitals Data Breach

OCR Video Explains HIPAA Security Rule Risk Management