New York Attorney General Fines Capital Region Orthopedic Practice $500K for 2023 Data Breach
Orthopedics NY LLP (aka OrthoNY; OrthopedicsNY), a New York orthopedic medicine practice, has been fined $500,000 by the New York Attorney General over a December 2023 ransomware attack and data breach, according to several media outlets serving the Capital District in New York State.
OrthopedicsNY operates almost 20 orthopedic, physical therapy, MRI Imaging, and surgery clinics in the Capital Region in New York State. On or around December 28, 2023, OrthopedicsNY fell victim to an INC Ransom ransomware attack. The investigation took around 9 months and revealed on September 5, 2024, that the personal and protected health information of current and former patients and employees was compromised in the incident.
The data breach was initially reported as affecting around 5,100 individuals, but the total was later updated to 656,086 individuals. Those individuals had to wait 10 months to discover their information had been stolen in the attack. While the ransomware attack occurred in late December 2023, the affected individuals did not start to be notified until October 30, 2024. OrthopedicsNY confirmed that a ransom demand was issued; however, it is unclear if the ransom was paid. The ransomware group gained access to its network using compromised login credentials and downloaded unencrypted personal and protected health information from its network, including the Social Security numbers, driver’s license numbers, and passport numbers of more than 110,000 individuals.
An investigation was launched by the Office of the New York Attorney General over the data breach, which determined that OrthopedicsNY had failed to implement reasonable and appropriate cybersecurity measures to secure patient data, in violation of federal and state laws. In addition to the $500,000 financial penalty, OrthopedicsNY is required to offer the affected individuals one year of complimentary credit monitoring services and make significant improvements to data security. Those measures include implementing and maintaining a comprehensive information security program; multifactor authentication for remote access; and data encryption for all sensitive patient information. OrthopedicsNY must also implement monitoring systems to identify unauthorized access, restrict access to employee and patient information, and conduct annual risk assessments to identify risks and vulnerabilities to sensitive data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Patients entrust their health care providers with their personal information, and providers must honor that trust by ensuring their systems are secure. OrthopedicsNY failed to do its due diligence to protect patients’ private information. No patient deserves to have their information exposed, and my office will continue to enforce the law to protect New Yorkers’ personal data,” Attorney General James said.
