Photo: GOCMEN / iStock / Getty Images
OrthoNY, a major orthopedic practice in the Capital Region, has agreed to pay $500,000 following an investigation by New York Attorney General Letitia James into a significant data breach. In December 2023, hackers accessed OrthoNY's network using compromised login credentials, exposing the personal and health information of over 650,000 patients and employees. The stolen data included Social Security numbers, driver’s license numbers, and passport numbers for approximately 110,000 individuals.
The Attorney General's office found that OrthoNY failed to implement essential cybersecurity measures, such as multi-factor authentication and data encryption, to protect sensitive information. As part of the settlement, OrthoNY will not only pay the fine but also provide one year of free credit monitoring to all affected individuals. Additionally, the company is required to enhance its data security practices, including conducting regular risk assessments and implementing multi-factor authentication for remote access.
The breach was not disclosed to patients until nearly 10 months later, on October 30, 2024. During this period, OrthoNY conducted an investigation into the incident, although it has not been disclosed whether a ransom was paid to the attackers. Attorney General James emphasized the importance of healthcare providers securing patient information, stating, "No patient deserves to have their information exposed."
This settlement is part of ongoing efforts by the Attorney General's office to hold organizations accountable for failing to safeguard sensitive data. OrthoNY operates clinics in Albany, Schenectady, Saratoga Springs, Glens Falls, and other locations across the region.