New York Orthopedics Practice Pays $500K Penalty for Lax Cybersecurity

An orthopedic medical practice in New York state – Orthopedics NY LLC – has settled alleged cybersecurity failures with New York Attorney General Letitia James. The settlement includes a $500,000 financial penalty, a year of credit monitoring services for the breach victims, and substantial security enhancements.

An investigation was launched by the Office of the New York Attorney General over a December 2023 ransomware attack. The INC Ransom ransomware group breached the Orthopedics NY network on or around December 28, 2023, exfiltrated files, and encrypted files on its network. A ransom demand was issued to decrypt files and prevent the publication of the stolen data, although Orthopedics NY did not state whether the ransom was paid. Like many ransomware attacks, initial access was gained using compromised credentials.

The investigation into the attack took nine months, and on September 5, 2024, Orthopedics NY confirmed that the personal and protected health information of patients and employees was stolen in the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 656,086 individuals. More than 110,000 of those individuals had highly sensitive data stolen, such as Social Security numbers, passport numbers, and driver’s license numbers.

The NY AG investigation determined that insufficient security measures had been implemented to safeguard sensitive data on its network. Multifactor authentication had not been implemented, and Orthopedics NY had not encrypted patient data. The security failures were deemed to have violated state laws and warranted a financial penalty.

In addition to a $500,000 financial penalty, Orthopedics NY is required to implement additional security measures and must provide the breach victims with a year of free credit monitoring services. The required security measures include:

  • The maintenance of a comprehensive information security program
  • Multifactor authentication for remote access
  • Annual security risk assessments
  • Limits on how much patient and employee data can be accessed
  • Encryption of sensitive employee and patient data
  • Monitoring of systems for suspicious activity

“Patients entrust their health care providers with their personal information, and providers must honor that trust by ensuring their systems are secure. OrthopedicsNY failed to do its due diligence to protect patients’ private information. No patient deserves to have their information exposed, and my office will continue to enforce the law to protect New Yorkers’ personal data,” said Attorney General James.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/