Orthopedics Rhode Island Inc. suffered a ransomware attack between September 4–8, 2024, compromising sensitive patient data, including names, addresses, dates of birth, billing/claims details, health insurance data, and medical records. The breach led to a $2.9 million class-action settlement, with affected individuals eligible for up to $5,000 in documented losses or a $100 alternate cash payment, alongside two years of free medical record monitoring. The lawsuit alleged the company failed to adequately protect patient information, exposing them to identity theft and fraud risks. While Orthopedics Rhode Island denied wrongdoing, it settled to avoid prolonged litigation. The incident highlights vulnerabilities in healthcare data security, particularly against ransomware threats targeting personally identifiable information (PII) and protected health information (PHI).
Source: https://www.claimdepot.com/settlements/ori-settlement
TPRM report: https://www.rankiteo.com/company/orthopedic-group-inc.
"id": "ort0203202110725",
"linkid": "orthopedic-group-inc.",
"type": "Ransomware",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Patients who received breach '
'notices (exact number '
'unspecified)',
'industry': 'Healthcare',
'location': 'Rhode Island, USA',
'name': 'Orthopedics Rhode Island Inc.',
'type': 'Healthcare Provider'}],
'attack_vector': 'Ransomware',
'customer_advisories': 'Eligible individuals can file claims for cash '
'payments ($100 or up to $5,000 with documentation) or '
'medical record monitoring (2 years of CyEx Medical '
'Shield Ultra).',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (implied by ransomware attack)',
'file_types_exposed': ['Medical records',
'Billing/claims documents',
'Patient identifiers'],
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of birth',
'Health insurance '
'details'],
'sensitivity_of_data': 'High (medical and personal data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial/billing data']},
'date_detected': '2024-09-04',
'description': 'Orthopedics Rhode Island Inc. agreed to pay $2.9 million to '
'settle a class action lawsuit alleging it failed to '
'adequately protect patient data, resulting in a ransomware '
'attack that exposed sensitive information, including names, '
'addresses, dates of birth, billing and claims details, health '
'insurance data, and medical records. Individuals who received '
'a notice may be eligible to claim up to $5,000 from the '
'settlement.',
'impact': {'brand_reputation_impact': 'Significant (settlement and public '
'disclosure)',
'customer_complaints': 'Class action lawsuit filed',
'data_compromised': ['Names',
'Addresses',
'Dates of birth',
'Billing and claims details',
'Health insurance data',
'Medical records'],
'financial_loss': '$2.9 million (settlement fund)',
'identity_theft_risk': 'High (PII and medical data exposed)',
'legal_liabilities': '$2.9 million settlement',
'payment_information_risk': 'Low (billing details exposed, but no '
'explicit payment card data '
'mentioned)'},
'initial_access_broker': {'high_value_targets': ['Patient medical records',
'Billing data']},
'investigation_status': 'Settled (class action lawsuit resolved)',
'motivation': 'Financial (ransomware)',
'post_incident_analysis': {'corrective_actions': 'Settlement includes '
'financial compensation and '
'medical monitoring for '
'affected individuals; '
'specific technical '
'remediations not disclosed',
'root_causes': 'Alleged failure to adequately '
'protect patient data'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Likely (based on exposed data)'},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'Settlement Administrator (ORI Data Incident '
'Settlement)'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
'$2.9 million',
'regulations_violated': ['HIPAA (likely)',
'State data breach laws']},
'response': {'communication_strategy': 'Breach notifications sent to affected '
'individuals; class action settlement '
'established'},
'stakeholder_advisories': 'Breach notices sent to affected individuals; '
'settlement claims process established',
'title': 'Orthopedics Rhode Island $2.9M Data Breach Settlement',
'type': ['Data Breach', 'Ransomware Attack']}