OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M
A $1,450,000 settlement has been agreed upon to resolve a class action lawsuit against the New York orthopedic medicine and surgery practice OrthopedicsNY. The class action complaint was filed in response to a December 2023 ransomware attack and data breach that exposed the personal and electronic protected health information of 656,086 patients.
OrthopedicsNY, which operates almost 20 clinics in the Capital Region in New York State, was attacked by the INC Ransom threat group on or around December 28, 2023. Prior to encrypting files, INC Ransom exfiltrated sensitive patient data, including names, contact information, financial information, protected health information, Social Security numbers, passport numbers, and driver’s license numbers. The affected individuals were notified on November 4, 2024.
Several class action lawsuits were filed in response to the data breach, which were consolidated in a single action – Michael Sayers, et al. v. OrthopedicsNY, LLP – in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida. The plaintiffs alleged that the defendant promised to protect their sensitive personal and health information but failed to do so, resulting in a ransomware attack and the theft of their data. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.
OrthopedicsNY agreed to a settlement to avoid the cost and time of protracted litigation and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and that accepting the settlement is in the best interests of class members. Under the terms of the settlement, OrthopedicsNY has agreed to establish a $1,450,000 settlement fund to cover attorneys’ fees and expenses, notification and administration costs, and service awards for the 12 named class representatives. After covering those costs, the remainder of the settlement fund will be used to pay for benefits to the class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may claim one of two cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or they may claim an alternative cash payment, which is anticipated to be $50 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection, opting out, and submitting a claim is June 15, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 30, 2026.
In addition to the class action settlement, OrthopedicsNY previously settled an investigation by the New York Attorney General and paid a $500,000 financial penalty. The New York Attorney General determined that OrthopedicsNY failed to implement reasonable and appropriate cybersecurity measures to secure patient data, in violation of federal and state laws. In addition to the financial penalty, OrthopedicsNY agreed to implement and maintain a comprehensive information security program and several cybersecurity measures to bolster security and offer the affected individuals one year of complimentary credit monitoring services.
