NYS fines OrthopedicsNY $500K after data breach exposes 650,000 patients

New York Attorney General Letitia James has secured a $500,000 settlement from OrthopedicsNY, a Capital Region orthopedic practice, after an investigation found the company failed to implement basic cybersecurity protections before a 2023 ransomware attack that exposed the personal and health information of more than 650,000 patients and employees. The breach, attributed to the INC ransomware gang, compromised Social Security numbers, driver's license numbers, and passport numbers for approximately 110,000 individuals, yet OrthopedicsNY waited nearly ten months before notifying affected patients.

What happened

In December 2023, cyberattackers gained remote access to OrthopedicsNY's network using compromised login credentials. The attackers, identified as the INC ransomware gang, moved through the systems and exfiltrated unencrypted files containing sensitive patient and employee information before deploying ransomware to encrypt portions of the network.

The breach affected more than 650,000 patients and employees across OrthopedicsNY's eight clinic locations and three ambulatory surgery centers in Albany, Schenectady, Saratoga Springs, Glens Falls, Clifton Park, Delmar, Latham, and Malta. The stolen data included names, financial information, health insurance details, and protected health information (PHI). For approximately 110,000 of those individuals, the exposed data also included Social Security numbers, driver's license numbers, or passport numbers.

OrthopedicsNY discovered the breach on December 28, 2023, but did not notify affected patients until October 30, 2024, nearly ten months later. The company stated it conducted a nine-month investigation during this period, but has not disclosed whether it paid the ransom demanded by the attackers.

The big picture

The Attorney General's investigation revealed that OrthopedicsNY failed to implement fundamental cybersecurity controls before the attack. The practice lacked multi-factor authentication for remote network access, allowing attackers to breach systems with only stolen credentials. Patient files containing Social Security numbers, passport numbers, and medical records were stored without encryption, giving attackers access to plaintext data ready for theft.

The settlement requires OrthopedicsNY to overhaul its security practices with specific mandates: 

• Implementing multi-factor authentication for all remote access
• encrypting all sensitive patient and employee data
• maintaining a comprehensive information security program
• limiting access to patient data
• monitoring systems for suspicious activity
• conducting annual risk assessments

The company must also provide one year of free credit monitoring to all 650,000 affected individuals.

Why it matters

The breach creates different levels of risk depending on what information was exposed. All 650,000 affected individuals face potential medical identity fraud and privacy violations from the exposure of their health records and insurance details. The 110,000 individuals whose Social Security numbers, driver's license numbers, or passport numbers were stolen face risks of identity theft, tax fraud, and fraudulent identity documents that can take years to resolve.

The ten-month notification delay makes these risks worse. During that extended period, attackers could sell or exploit stolen data while victims remained unaware their information had been compromised. Prompt notification allows individuals to place fraud alerts, monitor credit reports, and watch for signs of identity theft before criminals can cause maximum damage.

Healthcare organizations face increasing cybersecurity threats, with 725 large data breaches reported to HHS in 2024, exposing the records of over 134 million individuals, about 40% of the U.S. population. The average healthcare breach cost $7.42 million in 2025, according to IBM, making healthcare the most expensive industry for data security incidents for the 14th consecutive year.

What they're saying

Attorney General Letitia James emphasized the obligation healthcare providers have to protect patient information, "Patients entrust their health care providers with their personal information, and providers must honor that trust by ensuring their systems are secure. OrthopedicsNY failed to do its due diligence to protect patients' private information. No patient deserves to have their information exposed and my office will continue to enforce the law to protect New Yorkers' personal data."

The settlement marks another action in James's ongoing enforcement efforts against organizations that fail to safeguard sensitive data. Her office secured more than $14 million from eight car insurance companies in October 2024 for similar security failures affecting over 825,000 New Yorkers.

FAQs

What is multi-factor authentication?

Multi-factor authentication (MFA) requires users to verify their identity through two or more methods before accessing systems, typically something they know (password), something they have (phone or security key), or something they are (fingerprint or facial recognition). MFA prevents attackers from accessing accounts using only stolen passwords.

What are compromised login credentials?

Compromised login credentials are usernames and passwords that have been stolen, guessed, or obtained through phishing attacks, data breaches, or malware. Attackers use these stolen credentials to access systems while appearing as legitimate users, making detection more difficult.

What is an annual risk assessment?

A risk assessment is a systematic evaluation of an organization's security vulnerabilities, threats, and the potential impact of a breach. HIPAA requires covered entities to conduct regular risk assessments to identify gaps in their security posture and implement appropriate safeguards before attackers can exploit weaknesses.