2 min read

Bone & Joint Clinic to pay $575K in ransomware settlement

Picture of Farah Amod Farah Amod August 14, 2025

Email cybersecurity
Bone & Joint Clinic to pay $575K in ransomware settlement

A Wisconsin orthopedic clinic will settle a class action lawsuit following a 2023 ransomware attack that compromised sensitive patient and employee data.

 

What happened

Bone & Joint Clinic S.C., a medical practice in Northcentral Wisconsin, has agreed to a $575,000 settlement following a ransomware incident that disrupted its systems and exposed protected data. The breach, discovered on January 16, 2023, affected over 105,000 current and former patients and employees.

An unauthorized actor accessed the clinic’s network, deployed ransomware to encrypt files, and potentially exfiltrated personal and medical information including names, contact details, birth dates, Social Security numbers, insurance data, diagnoses, and treatment records.

 

Going deeper

Four patients filed lawsuits, which were later consolidated into a single complaint in the U.S. District Court for the Western District of Wisconsin. Plaintiffs accused the clinic of failing to implement adequate cybersecurity safeguards and asserted multiple claims including negligence, breach of fiduciary duty, invasion of privacy, and violations of Wisconsin’s healthcare confidentiality laws.

While the clinic has not admitted liability, it agreed to the settlement to avoid prolonged litigation. Eligible individuals can submit claims for up to $5,000 in documented, unreimbursed expenses related to the breach. Additional pro rata cash payments, estimated at around $75 per person, will be distributed depending on the number of claims filed.

 

What was said

Bone & Joint Clinic continues to deny wrongdoing, stating that the settlement is not an admission of fault but a practical resolution. Funds for the settlement will also cover attorneys’ fees (up to $191,475), litigation expenses (up to $20,000), service awards for named plaintiffs, and administrative costs.

The deadline to exclude oneself from or object to the settlement is September 15, 2025, with claim submissions due by October 15, 2025. A final fairness hearing is set for January 7, 2026.

 

FAQs

Who qualifies as a class member in this settlement?

Anyone whose personal or medical data was compromised in the January 2023 incident is considered part of the settlement class and may be eligible to submit a claim.

 

What kind of losses are reimbursable under the settlement?

Documented, unreimbursed out-of-pocket losses that can be reasonably linked to the data breach, such as costs for credit monitoring or identity restoration, can be claimed, up to $5,000 per person.

 

How do pro rata payments work in class action settlements?

Pro rata payments are distributed equally among claimants from the remaining settlement fund after deductions. The actual amount depends on how many valid claims are filed.

 

How is this case different from other healthcare breach settlements?

This case involved multiple legal claims beyond negligence, including breach of implied contract and violations of specific state privacy laws, which may set a precedent for how similar cases are argued or settled in Wisconsin.
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.