On or about May 21, 2026, Orrstown Bank (“Orrstown”) was notified by its third-party vendor, Mercadien, P.C. CPAs (“Mercadien”), that a data security incident had occurred that may have affected customer information. The incident involved unauthorized access to systems maintained by the vendor, where consumer data was stored.
After learning of the incident, Orrstown Bank initiated its response procedures and began notifying affected individuals. The bank reported that, based on the investigation, personal information was contained within the affected systems and could have been accessed by an unauthorized third party.
Orrstown Bank is a financial institution headquartered in Harrisburg, Pennsylvania, providing banking and financial services to customers throughout Pennsylvania and Maryland.
As part of its response, Orrstown evaluated its security practices, coordinated with its vendor, and implemented measures aimed at preventing similar incidents in the future. The bank also provided impacted individuals with complimentary credit monitoring and identity protection services through Experian IdentityWorks for 24 months.
Impacted individuals were given instructions for enrolling in identity monitoring services and advised to remain vigilant against identity theft and fraud by reviewing account activity and credit reports.
If you received a Data Breach Notification Letter from Orrstown Bank, it confirms that your information was potentially impacted.
What information is involved in the Orrstown Bank Data Breach?
Compromised information may include:
First Name
Last Name
Social Security Number
Date of Birth
Address
Government-issued Identification
Financial information
Medical or Health Information
Your Personally Identifiable Information (PII) includes details that can be used to identify you. Organizations are legally required to protect this information, and when compromised, consumers may face risks of identity theft and fraud.
A specific category of PII is financial account information, which can be used to access funds, open fraudulent accounts, or commit financial fraud. When combined with other identifiers, the risk of identity misuse increases significantly.
Orrstown has advised impacted individuals to take precautions such as activating credit monitoring, placing fraud alerts, and considering a credit freeze to prevent unauthorized account activity.
If your data is exposed, criminals may attempt to use that information to access financial accounts or create fraudulent identities. Monitoring tools and early detection are critical in preventing long-term harm.
Residents of California benefit from additional privacy protections under the California Consumer Privacy Act (CCPA), which grants enhanced rights regarding personal data. Additionally, California residents also benefit from medical privacy protections under the Confidentiality of Medical Information Act (CMIA), which specifically grants enhanced protections for confidential medical data.
If you received a NOTICE OF DATA BREACH letter from Orrstown Bank, your personal information may be at risk and could be misused for identity theft or fraud.
Contact the Data Breach Attorneys at Emery | Reddy today for a Free Case Review.