Standards, Regulations & Compliance
Major Data Breach Impacts Over 650,000 Patients and Staff
An orthopedic practice in upstate New York has agreed to a $500,000 settlement with state regulators as a consequence of a data breach that compromised the sensitive information of approximately 650,000 individuals. This incident has prompted the organization, known as OrthopedicsNY (OrthoNY), to enhance its cybersecurity measures to prevent future occurrences.
The announcement regarding the settlement was made by New York State Attorney General Letitia James at the end of December 2025. The investigation revealed that the attackers exploited vulnerabilities in OrthoNY’s security protocols to unlawfully access sensitive data. Specifically, the breach occurred in 2023 when hackers gained remote entry to the organization’s network utilizing compromised login credentials. This breach allowed them to download unencrypted sensitive files, which included personal identifiers such as Social Security numbers and driver’s license numbers for roughly 110,000 individuals.
James emphasized the importance of safeguarding patients’ private information, stating, “Healthcare providers must honor the trust that patients place in them by implementing robust security measures.” The investigation concluded that the security lapses on OrthoNY’s part were significant enough to warrant the enforcement action taken against them.
In addition to the financial settlement, OrthoNY is mandated to establish a comprehensive security program aimed at reinforcing its data protection protocols. Key measures include implementing multifactor authentication for network access, encrypting sensitive data at rest and in transit, and instituting regular security risk assessments. These actions represent a proactive approach to data security in light of increasing cyber threats.
The breach was attributed to the cybercriminal group known as INC Ransom, which claimed responsibility in January 2024, according to reports from ransomware monitoring sites. This incident underscores the increasingly sophisticated tactics employed by adversaries, notably those related to initial access and exploitation techniques outlined in the MITRE ATT&CK framework. The attack reflects a concerning trend wherein organizations experience unauthorized network entry due to inadequate security controls.
OrthoNY reported the incident to federal regulators as a HIPAA breach, confirming that the compromised data was linked to a network server vulnerability. The significant number of individuals affected highlights the urgent need for healthcare providers to adopt stringent cybersecurity measures as part of their operational protocols.
