Gramercy Surgery Center Agrees to Pay $400,000 to Cover Data Breach Claims
Gramercy Surgery Center in New York has agreed to settle a class action lawsuit that was filed in response to a June 2024 ransomware attack. The settlement provides a maximum of $400,000 to cover claims for out-of-pocket expenses and cash payments to class members.
Gramercy Surgery Center identified the attack on June 18, 2024. While not described as a ransomware attack, the Everest ransomware group claimed responsibility and added Gramercy Surgery Center to its data leak site. The group had access to its network since June 14, 2025, and exfiltrated patient information such as names, addresses, Social Security numbers, dates of birth, driver’s license/state identification card numbers, medical record numbers, treatment information, and health insurance information. The data breach was reported to the HHS’ Office for Civil Rights (OCR) as affecting 52,544 individuals.*
A lawsuit – Horvath v. Gramercy Surgery Center, Inc. – was filed against Gramercy Surgery Center in the United States District Court for the Southern District of New York over the data breach, alleging Gramercy Surgery Center was negligent as it failed to employ reasonable security measures, as required by HIPAA, the FTC Act, and other standards. The lawsuit also claims that Gramercy Surgery Center failed to delete the data of former patients when their records were no longer required, and failed to provide adequate notifications to breach victims. In addition to negligence, the lawsuit asserted claims of breach of implied contract and unjust enrichment.
Gramercy Surgery Center denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing. The settlement was agreed upon to avoid the risks and costs of lengthy and uncertain litigation, and the uncertainty of a trial and appeals. The settlement covers the 52,372 individuals who were notified about the data breach and provides monetary relief and credit monitoring/identity theft protection services. There are two benefit options that can be claimed. Class members may submit a claim for reimbursement of documented out-of-pocket expenses up to a maximum of $2,500, which can include up to $60 in lost time (maximum of 3 hours at $20 per hour). Alternatively, class members may claim a cash payment of $50.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A $400,000 cap has been set for monetary relief. Claims and cash payments will be paid pro rata if the claimed losses exceed $400,000. The $400,000 settlement fund does not include attorneys’ fees, legal costs and expenses, and class representative awards, which will be covered by Gramercy Surgery Center in addition to the $400,000. All class members are entitled to three years of credit monitoring services, regardless of whether they submit a claim for monetary relief.
The settlement has received preliminary approval from the court. The deadline for objection to and opting out of the settlement is August 29, 2025. Claims must be submitted by September 29, 2025, and the final fairness hearing has been scheduled for October 21, 2025, at 9:30 a.m. The plaintiffs and class were represented by attorneys from the law firm Milberg Coleman Bryson Phillips Grossman, PLLC.
*The OCR breach portal still lists the incident as affecting 52,544 individuals, although the lawsuit states that 52,372 notifications were mailed.
