A Wisconsin orthopedic clinic will settle a class action lawsuit following a 2023 ransomware attack that compromised sensitive patient and employee data.
Bone & Joint Clinic S.C., a medical practice in Northcentral Wisconsin, has agreed to a $575,000 settlement following a ransomware incident that disrupted its systems and exposed protected data. The breach, discovered on January 16, 2023, affected over 105,000 current and former patients and employees.
An unauthorized actor accessed the clinic’s network, deployed ransomware to encrypt files, and potentially exfiltrated personal and medical information including names, contact details, birth dates, Social Security numbers, insurance data, diagnoses, and treatment records.
Four patients filed lawsuits, which were later consolidated into a single complaint in the U.S. District Court for the Western District of Wisconsin. Plaintiffs accused the clinic of failing to implement adequate cybersecurity safeguards and asserted multiple claims including negligence, breach of fiduciary duty, invasion of privacy, and violations of Wisconsin’s healthcare confidentiality laws.
While the clinic has not admitted liability, it agreed to the settlement to avoid prolonged litigation. Eligible individuals can submit claims for up to $5,000 in documented, unreimbursed expenses related to the breach. Additional pro rata cash payments, estimated at around $75 per person, will be distributed depending on the number of claims filed.
Bone & Joint Clinic continues to deny wrongdoing, stating that the settlement is not an admission of fault but a practical resolution. Funds for the settlement will also cover attorneys’ fees (up to $191,475), litigation expenses (up to $20,000), service awards for named plaintiffs, and administrative costs.
The deadline to exclude oneself from or object to the settlement is September 15, 2025, with claim submissions due by October 15, 2025. A final fairness hearing is set for January 7, 2026.
Anyone whose personal or medical data was compromised in the January 2023 incident is considered part of the settlement class and may be eligible to submit a claim.
Documented, unreimbursed out-of-pocket losses that can be reasonably linked to the data breach, such as costs for credit monitoring or identity restoration, can be claimed, up to $5,000 per person.
Pro rata payments are distributed equally among claimants from the remaining settlement fund after deductions. The actual amount depends on how many valid claims are filed.
This case involved multiple legal claims beyond negligence, including breach of implied contract and violations of specific state privacy laws, which may set a precedent for how similar cases are argued or settled in Wisconsin.