OrthopedicsNY, a New York orthopedic practice operating nearly 20 clinics across the Capital Region, has agreed to a $1.45 million class action settlement on top of a $500,000 penalty paid to the New York Attorney General, bringing combined exposure from a December 2023 INC Ransom attack to $1.95 million. Investigators confirmed the breach succeeded because the organization lacked multi-factor authentication for remote access and stored patient data without encryption. The incident exposed the personal and protected health information of 656,086 patients.

What Happened

INC Ransom operators gained access to OrthopedicsNY's network on or around December 28, 2023, using compromised login credentials. The attackers exfiltrated files before deploying ransomware to encrypt systems. Affected individuals were not notified until November 4, 2024, nearly 11 months after the intrusion. A class action lawsuit followed, receiving preliminary court approval on February 25, 2026, with a claims deadline of June 15, 2026, and a final fairness hearing scheduled for June 30, 2026. Separately, the New York Attorney General announced a $500,000 penalty in December 2025 following an investigation that found the practice failed to implement basic cybersecurity protections.

What Was Taken

Stolen data tied to 656,086 patients included:

• Patient names and dates of birth
• Social Security numbers
• Passport numbers
• Driver's license numbers
• Financial account information
• Protected health information (PHI)

The combination of government identifiers, financial credentials, and medical records makes the dataset highly attractive for identity fraud, synthetic identity creation, and targeted phishing against patients.

Why It Matters

The OrthopedicsNY case is a textbook example of regulators treating missing baseline controls as negligence rather than misfortune. AG Letitia James's office explicitly tied the $500,000 penalty to two findings any auditor would flag: no MFA on remote access and unencrypted patient data at rest. For healthcare providers, the message is that the cost of not deploying widely available, commoditized controls now routinely exceeds the cost of deploying them by orders of magnitude. The nearly 11-month notification delay also reinforces the reputational and legal risk of slow breach disclosure under state and HIPAA rules.

Class members can claim up to $2,500 for documented out-of-pocket losses or an alternative cash payment estimated at roughly $50 per member, depending on claim volume, on top of attorneys' fees and administration costs that will push total costs well beyond the headline $1.95 million.

The Attack Technique

According to the settlement notice and AG findings, the intrusion followed a straightforward credential abuse pattern associated with INC Ransom:

1. Attackers obtained valid login credentials, likely via phishing, infostealer logs, or prior credential compromise.
2. With no MFA enforced on remote network access, the stolen credentials alone were sufficient to authenticate.
3. Once inside, because patient data was stored unencrypted, files could be read and exfiltrated directly without needing to break additional cryptographic controls.
4. The group then executed the double extortion playbook: bulk data exfiltration followed by ransomware deployment to encrypt systems.

INC Ransom has been active since 2023 and has repeatedly targeted healthcare providers, relying heavily on valid accounts and exposed remote services as initial access vectors.

What Organizations Should Do

1. Enforce phishing-resistant MFA on every remote access path, including VPN, RDP, VDI, and administrative consoles. Treat any remote entry point without MFA as a reportable control failure.
2. Encrypt sensitive data at rest, especially PHI, PII, and financial records, and validate that backups and file shares are covered rather than only endpoints.
3. Monitor for credential abuse by baselining normal authentication patterns and alerting on impossible-travel, new-device, and high-volume access events from recently issued or dormant accounts.
4. Hunt for INC Ransom indicators, including known tooling, lateral movement patterns, and staging directories, and ensure EDR coverage extends to hypervisors and file servers, not just workstations.
5. Shorten breach detection and notification timelines by pre-building incident response playbooks with legal and communications teams so notification obligations are not a bottleneck.
6. Conduct a regulator-grade gap assessment against HIPAA Security Rule and state-specific requirements such as the NY SHIELD Act, focusing on access control, encryption, and breach notification timing.

Sources: OrthopedicsNY faces $1.95M penalty after INC Ransom attack