OrthopedicsNY Agrees to $1.45 Million Settlement of Ransomware Data Breach

April 20, 2026HIPAA News Today0

OrthopedicsNY has agreed to pay $1,450,000 to resolve a class action lawsuit associated with a ransomware attack in December 2023 that exposed the personal and electronic protected health information (ePHI) of 656,086 patients.

Incident Overview

Orthopedic medicine and surgery practice OrthopedicsNY operates 20 clinics in the Capital Region of New York State. The organization suffered a ransomware attack conducted by the INC Ransom threat group on or around December 28, 2023. The attackers encrypted files after exfiltrating sensitive patient data.

The breached data included patient names, contact

, financial information, protected health information (PHI), Social Security numbers, driver’s license numbers, and passport numbers. OrthopedicsNY notified the affected individuals about the breach on November 4, 2024.

Litigation and Allegations

The practice faced multiple class action lawsuits because of the breach. The lawsuits were consolidated into a single case, Michael Sayers, et al. v. OrthopedicsNY, LLP. The case is being heard in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida.

The plaintiffs alleged that OrthopedicsNY failed to safeguard sensitive personal and health information despite assurances that such data would be protected. The claims included unjust enrichment, negligence, negligence per se, and breach of implied contract.

Settlement Terms

OrthopedicsNY agreed to the settlement to avoid extended litigation and the uncertainty associated with trial proceedings. The settlement establishes a $1,450,000 fund. This fund is allocated to cover attorneys’ fees and expenditures, service awards for the 12 named class representatives, notification and administration costs. Remaining funds will be paid to eligible class members.

Class members have two compensation options. Individuals may claim documented and unreimbursed losses associated with the data breach up to $2,500 per person. Alternatively, class members may choose to receive a cash payment estimated at $50, subject to adjustment depending on the number of valid claims submitted.

The deadline to submit claims, opt out, or file objections is June 15, 2026. The court has granted preliminary approval of the settlement, and a final fairness hearing is scheduled for June 30, 2026.

Regulatory Enforcement Action

Aside from the class action settlement, OrthopedicsNY previously resolved an investigation conducted by the New York Attorney General. The organization paid a $500,000 financial penalty for failing to implement reasonable and appropriate cybersecurity measures to protect patient data, which constituted violations of federal and state laws, including HIPAA.

OrthopedicsNY also needed to implement and maintain a comprehensive information security program and adopt additional cybersecurity measures. The organization provided the affected individuals with one year of free credit monitoring services.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.