OrthopedicsNY faces $1.95M penalty after INC Ransom attack

A New York orthopedic practice has agreed to a $1.45 million class action settlement, compounding a $500,000 state penalty, after investigators found the 2023 ransomware attack succeeded because the organization lacked multi-factor authentication and stored patient data without encryption.

What happened

OrthopedicsNY, an orthopedic medicine and surgery practice operating nearly 20 clinics across New York's Capital Region, has agreed to pay $1.45 million to resolve a class action lawsuit stemming from a December 2023 ransomware attack that exposed the personal and protected health information (PHI) of 656,086 patients. According to the official settlement notice, the INC Ransom ransomware group gained access to OrthopedicsNY's network on or around December 28, 2023, using compromised login credentials. The attackers exfiltrated files before encrypting systems, with stolen data including patient names, dates of birth, Social Security numbers, passport numbers, driver's license numbers, financial account information, and protected health information. Affected individuals were not notified until November 4, 2024, nearly 11 months after the attack. The settlement received preliminary court approval on February 25, 2026, with a claims deadline of June 15, 2026, and a final fairness hearing scheduled for June 30, 2026.

Going deeper

The class action settlement follows a separate $500,000 penalty paid to the New York Attorney General, bringing OrthopedicsNY's combined financial exposure from the breach to $1.95 million before attorneys' fees and administration costs. The AG investigation, announced in December 2025, determined that OrthopedicsNY had failed to implement basic cybersecurity protections before the attack, specifically the absence of multi-factor authentication (MFA) for remote network access and the storage of patient data without encryption. Because no MFA was in place, attackers with stolen credentials faced no additional barrier to accessing the system. Because data was stored unencrypted, files could be read and copied directly once the attackers were inside the network. Under the class action settlement terms, class members may claim up to $2,500 in documented out-of-pocket losses or an alternative cash payment anticipated at approximately $50 per member, depending on claim volume.

What was said

New York Attorney General Letitia James said in the press release announcing the penalty: "Patients entrust their health care providers with their personal information, and providers must honor that trust by ensuring their systems are secure. OrthopedicsNY failed to do its due diligence to protect patients' private information. No patient deserves to have their information exposed, and my office will continue to enforce the law to protect New Yorkers' personal data." As part of both settlements, OrthopedicsNY is required to implement MFA for remote network access, encrypt patient and employee data, conduct annual risk assessments, establish network monitoring for anomalous activity, and maintain a detailed information security program.

In the know

According to Becker's Spine Review, OrthopedicsNY's settlement is part of a sustained enforcement effort by the New York AG targeting healthcare organizations that fail to meet basic security standards. The AG's office secured $14.2 million from eight car insurance companies in October 2025 for failing to protect information belonging to more than 825,000 New Yorkers, and $975,000 from an auto insurer in March 2025 after more than 45,000 affected individuals had their data exposed. The scale of enforcement at the state level across sectors signals that regulators are treating the absence of foundational controls such as MFA and encryption as actionable negligence, not merely a compliance shortfall.

The big picture

The OrthopedicsNY case demonstrates a well-documented enforcement pattern: a data breach attributed to the absence of basic security controls triggers both regulatory penalty and class action litigation, with combined costs far exceeding what the security measures themselves would have required. According to Paubox's What Small Healthcare Practices Get Wrong About HIPAA and Email Security report, HIPAA violations do not scale down with organization size, and even modest fines carry compliance overhauls and monitoring requirements whose costs can exceed the penalty itself. IBM puts the average cost of a healthcare data breach at $9.8 million. OrthopedicsNY's $1.95 million in combined penalties, while substantial, represents only a portion of the likely total cost when litigation management, remediation infrastructure, and reputational damage are accounted for. The two controls whose absence made the breach possible, MFA and encryption, are now mandated under the remediation terms of both settlements.

FAQs

What is INC Ransom and how does it operate?

INC Ransom is a ransomware group that uses a double extortion model, exfiltrating data before encrypting victim systems and threatening to publish stolen files unless a ransom is paid. The group has targeted healthcare organizations and other critical sectors across the United States and Europe.

Why did the absence of MFA make the attack possible?

Without MFA, attackers who obtained valid employee credentials through theft or purchase could log directly into OrthopedicsNY's network with no additional verification step. MFA requires a second form of authentication beyond a password, meaning stolen credentials alone are not sufficient to gain access.

What is the difference between the AG penalty and the class action settlement?

The $500,000 AG penalty was a regulatory enforcement action by the New York Attorney General for violations of state and federal law governing data security. The $1.45 million class action settlement resolves civil claims by affected patients and employees for negligence, breach of implied contract, and unjust enrichment.

How long do affected individuals have to file a claim?

The deadline to submit a claim, object to the settlement, or opt out is June 15, 2026. Eligible class members are US residents who received a breach notification letter from OrthopedicsNY.

What remediation measures is OrthopedicsNY now required to implement?

The combined settlement terms require OrthopedicsNY to implement MFA for remote access, encrypt all patient and employee data it collects and stores, conduct annual risk assessments, establish network monitoring for anomalous activity, limit data access through defined policies, and maintain a comprehensive information security program going forward.