OrthopedicsNY Hit with $500K Fine for Data Breach

ALBANY, NY – A Capital Region healthcare provider is feeling the heat after a colossal data breach exposed the sensitive information of over 650,000 patients and employees. New York Attorney General Letitia James just slapped OrthopedicsNY, LLP (OrthopedicsNY) with a $500,000 penalty for failing to adequately protect its systems from cyberattackers.

The investigation, led by the Attorney General’s Office (OAG), revealed that attackers gained remote access in 2023 using compromised login credentials. They then made off with unencrypted files containing a treasure trove of personal data, including social security numbers, driver’s license numbers, and even passport numbers for approximately 110,000 individuals. This wasn’t a simple oversight; it was a systemic failure to implement basic security measures.

“Patients entrust their health care providers with their most personal information, and providers must honor that trust by ensuring their systems are secure,” Attorney General James stated bluntly. “OrthopedicsNY failed to do its due diligence, and no patient deserves to have their information exposed. We’re sending a clear message: protect patient data or face the consequences.”

The OAG found that OrthopedicsNY was woefully lacking in essential security protocols. They hadn’t bothered with multi-factor authentication for remote access, failed to encrypt sensitive patient data, and didn’t conduct regular risk assessments – all readily available and proven methods to safeguard information. It’s a shocking indictment of their negligence.

The settlement isn’t just about the fine. OrthopedicsNY is now mandated to overhaul its data security program, including implementing a comprehensive information security program, limiting access to sensitive data, encrypting all patient and employee information, and establishing a system to monitor for suspicious activity. They’re also on the hook for funding one year of free credit score monitoring for all impacted individuals. This isn’t a slap on the wrist; it’s a full-scale security overhaul.

This case is part of a larger trend of Attorney General James cracking down on companies with lax data security. Just last month, her office secured $1,700,000 from Illuminate Education after a student data breach. In October, she wrangled $14,200,000 from eight car insurance companies for similar failings, and in March, secured $975,000 from Root and sued Allstate. The message is clear: New Yorkers’ data is a priority, and those who fail to protect it will pay a steep price.