OrthopedicsNY Pays $1.45M to Settle Class Action Data Breach Lawsuit

April 12, 2026HIPAA News Today0

OrthopedicsNY agreed to pay $1,450,000 as settlement of a class action lawsuit prompted by a December 2023 ransomware attack and data breach affecting 656,086 patients.

Incident Overview

OrthopedicsNY, an orthopedic medicine and surgery practice operating almost 20 clinics in the Capital Region of New York State, experienced a ransomware attack on or around December 28, 2023. The attack was attributed to the INC Ransom threat group. Prior to file encryption, the threat actor exfiltrated sensitive patient data.

The compromised data included names, contact information, financial information, protected health information (PHI), Social Security numbers, driver’s license numbers and passport numbers. Notification to affected individuals was issued on November 4, 2024.

Litigation And Claims

Multiple class action lawsuits were filed in response to the data breach. These actions were consolidated into a single case identified as Michael Sayers, et al. v. OrthopedicsNY, LLP in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida.

The plaintiffs alleged that OrthopedicsNY represented that it would protect sensitive personal and health information as per HIPAA laws but failed to do so. The claims asserted included negligence, negligence per se, breach of implied contract, and unjust enrichment. The allegations focused on the failure to safeguard personal and electronic protected health information, which resulted in unauthorized access and data exfiltration.

Settlement Terms

OrthopedicsNY agreed to establish a $1,450,000 settlement fund. The agreement was reached to avoid extended litigation and the uncertainty associated with trial proceedings. The settlement fund will be allocated to attorneys’ fees and expenses, notification and administration costs, and service awards for 12 named class representatives. The remaining funds will be distributed to class members.

Eligible class members may submit claims for reimbursement of documented, unreimbursed losses attributable to the data breach, with a maximum recovery of $2,500 per individual. An alternative cash payment option is available, estimated at $50 per class member, subject to adjustment based on the number of valid claims submitted.

The deadline for submitting claims, opting out, or objecting to the settlement is June 15, 2026. The settlement has received preliminary court approval. A final fairness hearing is scheduled for June 30, 2026.

Regulatory Action And Compliance Measures

OrthopedicsNY previously resolved an investigation conducted by the New York Attorney General and paid a $500,000 financial penalty. The investigation determined that OrthopedicsNY did not implement reasonable and appropriate cybersecurity measures to protect patient data, resulting in violations of federal and state laws.

As part of the resolution, OrthopedicsNY agreed to implement and maintain a comprehensive information security program. Additional cybersecurity measures are required to strengthen data protection practices. The organization also agreed to provide affected individuals with one year of complimentary credit monitoring services.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.