$2.4 Million Settlement by Excelsior Orthopaedics and Buffalo Surgery Center Data Breach Lawsuit

March 29, 2026HIPAA News Today0

Excelsior Orthopaedics and Buffalo Surgery Center agreed to a $2,400,000 settlement to resolve consolidated class action litigation related to a 2024 data breach.

Incident Overview

On or about June 23, 2024, Excelsior Orthopaedics, located in Amherst, New York, detected unusual activity within its network. A subsequent forensic review confirmed that an unauthorized third party gained access to and copied data from its systems. The incident also involved Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center.

Excelsior Orthopaedics reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, indicating that 394,752 individuals were affected. Buffalo Surgery Center reported that 64,000 patients were impacted. Notification letters were issued to affected individuals on December 31, 2024.

The compromised information included names, demographic data, driver’s license numbers, Social Security numbers, medical information, health insurance details, and financial data.

Litigation And Allegations

Following the incident, multiple class action lawsuits were filed against Excelsior Orthopaedics and Buffalo Surgery Center. These cases were combined under Szucs et al. v. Excelsior Orthopaedics, LLP et al. in the Supreme Court of the State of New York, County of Erie.

The plaintiffs alleged that they sustained harm connected to the breach and attributed those harms to failures in securing and properly handling sensitive personal identifiable information and protected health information. The claims also asserted that the defendants did not meet applicable cybersecurity standards, Federal Trade Commission guidelines, or requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.

The legal claims included negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of the New York Deceptive Acts and Practices Act.

Settlement Terms

The defendants denied all allegations and any admission of liability. The parties agreed to resolve the matter through a financial settlement to avoid continued litigation and the uncertainty of trial.

The settlement establishes a $2,400,000 fund. Deductions will be made for attorneys’ fees, litigation costs, notification expenses, settlement administration, and service awards for nine named plaintiffs. Remaining funds will be allocated to eligible class members.

Class Member Benefits

Eligible individuals will receive two years of three-bureau credit monitoring services. Access to these services will be provided automatically without requiring a claim submission.

Class members may submit claims for reimbursement of documented losses related to the breach, with a maximum recovery of $5,000 per individual.

Individuals who do not file reimbursement claims may elect to receive a cash payment. These payments will be distributed on a pro rata basis depending on the remaining funds after deductions and approved claims.

Key Dates And Deadlines

Requests for exclusion or objections to the settlement must be submitted by May 17, 2026. Claims for reimbursement or cash payments must be filed by June 11, 2026. The final fairness hearing is scheduled for July 8, 2026.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.