Ortho Rhode Island to pay $2.9 million in ransomware settlement

A 2024 ransomware attack led to one of the largest healthcare breach settlements in Rhode Island history.

What happened

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle multiple class action lawsuits related to a ransomware attack discovered on September 7, 2024. Forensic findings revealed that attackers gained unauthorized access between September 4 and September 8, 2024, exposing the protected health information (PHI) of 377,731 individuals. The compromised data included names, birth dates, billing and insurance details, diagnoses, prescriptions, test results, and X-ray images.

Ortho RI began notifying affected individuals through a website notice in November 2024 and mailed individual notifications in December 2024. The breach was also reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

Going deeper

Seven class action lawsuits were filed following the breach, with one dismissed and the rest consolidated into Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court. Plaintiffs alleged that Ortho RI failed to implement reasonable cybersecurity safeguards, resulting in negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Victims claimed financial harm, identity theft risks, and lost value of their personal data. While Ortho RI denied wrongdoing, the organization opted to settle to avoid further litigation costs and uncertainty.

What was said

Both Ortho RI and class representatives stated that the settlement was the most practical resolution, considering the costs and risks of prolonged litigation. Attorneys’ fees, settlement administration costs, and monitoring expenses will be deducted before funds are distributed. The deadlines for objections and claims are December 29, 2025, and January 13, 2026, respectively, with a final approval hearing set for January 28, 2026.

The big picture

According to Paubox’s State of Healthcare Email Security Report, ransomware and malware attacks, most often delivered through malicious email links or attachments, have surged by 264% against healthcare organizations since 2018. In 2024 alone, 180 providers reported email-related breaches, exposing widespread misconfigurations and overconfidence in outdated safeguards. These weaknesses carry enormous financial fallout, with the average cost of a healthcare data breach reaching $11 million in 2025, the highest of any industry. The Ortho RI settlement reflects this broader pattern: as regulatory scrutiny intensifies and class action risks rise, maintaining verifiable, proactive security practices is no longer optional, it’s a legal and financial imperative.

FAQs

How does this settlement compare to other healthcare breach settlements?

While smaller than multi-state hospital settlements, Ortho RI’s $2.9 million agreement is big for a regional provider, reflecting courts’ growing emphasis on compensating victims of medical data breaches.

What is the role of the Office for Civil Rights (OCR) in this case?

The OCR oversees HIPAA compliance and investigates healthcare breaches involving PHI. Its findings can influence the scope of settlements or future enforcement actions.

What distinguishes medical record monitoring from credit monitoring?

Medical record monitoring focuses on detecting misuse of healthcare information such as fraudulent insurance claims or prescription activity while credit monitoring tracks financial identity theft.

Could this settlement affect how healthcare entities insure against cyber risks?

Yes. Breaches leading to large settlements often prompt healthcare organizations to reassess cyber insurance coverage, including policies for ransomware recovery and class action defense.