New York AG Secures $500K Settlement with OrthoNY Over 2023 Data Breach
New York Attorney General Letitia James has reached a $500,000 settlement with OrthopedicsNY, LLP (OrthoNY), a New York-based orthopedics practice, following a 2023 data breach that exposed the personal information of over 650,000 patients and employees. The breach compromised sensitive data, including Social Security numbers, driver’s license numbers, and passport details for approximately 110,000 individuals.
The settlement, announced by the New York Office of the Attorney General (OAG), stems from an investigation that found OrthoNY failed to adequately protect patient and employee data, violating state laws. In addition to the financial penalty, OrthoNY must provide affected individuals with one year of free credit monitoring and implement stricter security measures, including:
- A comprehensive information security program to safeguard patient data.
- Policies to limit access to sensitive information.
- Multi-factor authentication for remote network access.
- Encryption of collected, stored, and transmitted data.
- Network monitoring systems to detect anomalous activity.
- Annual risk assessments to identify security vulnerabilities.
Attorney General James emphasized the responsibility of healthcare providers to secure patient data, stating that OrthoNY’s failure to do so violated the trust of those it serves. The settlement reflects the OAG’s increased enforcement of data security laws, following recent actions against other organizations, including ed tech providers, auto insurers, and a home security company. The case underscores the growing role of state attorneys general in enforcing data protection standards alongside federal regulations like HIPAA.
OrthoNY cybersecurity rating report: https://www.rankiteo.com/company/orthony
"id": "ORT1769030875",
"linkid": "orthony",
"type": "Breach",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '650,000+ (patients and '
'employees)',
'industry': 'Healthcare',
'location': 'New York, USA',
'name': 'OrthopedicsNY, LLP (OrthoNY)',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Affected individuals offered one year of free credit '
'monitoring',
'data_breach': {'data_encryption': 'Required as part of settlement '
'(encryption of collected, stored, and '
'transmitted data)',
'number_of_records_exposed': '650,000+ (110,000 with '
'sensitive data)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Social Security numbers',
'Driver’s license numbers',
'Passport details',
'Personal information']},
'date_publicly_disclosed': '2024',
'description': 'New York Attorney General Letitia James secured a $500,000 '
'settlement with OrthopedicsNY, LLP (OrthoNY) following a 2023 '
'data breach that exposed the personal information of over '
'650,000 patients and employees. The breach compromised '
'sensitive data, including Social Security numbers, driver’s '
'license numbers, and passport details for approximately '
'110,000 individuals.',
'impact': {'brand_reputation_impact': 'Violated trust of patients and '
'employees',
'data_compromised': 'Personal and sensitive information, including '
'Social Security numbers, driver’s license '
'numbers, and passport details',
'financial_loss': '$500,000 (settlement)',
'identity_theft_risk': 'High (due to exposure of Social Security '
'numbers and other PII)',
'legal_liabilities': 'Violation of state data security laws'},
'investigation_status': 'Closed (settlement reached)',
'lessons_learned': 'Healthcare providers must implement robust security '
'measures to protect patient data and comply with state '
'and federal regulations.',
'post_incident_analysis': {'corrective_actions': ['Comprehensive information '
'security program',
'Access limitation policies',
'Multi-factor '
'authentication',
'Data encryption',
'Network monitoring',
'Annual risk assessments'],
'root_causes': 'Failure to adequately protect '
'patient and employee data'},
'recommendations': ['Implement comprehensive information security programs',
'Enforce access controls for sensitive data',
'Adopt multi-factor authentication for remote access',
'Encrypt all collected, stored, and transmitted data',
'Deploy network monitoring systems',
'Conduct annual risk assessments'],
'references': [{'source': 'New York Office of the Attorney General (OAG)'}],
'regulatory_compliance': {'fines_imposed': '$500,000',
'legal_actions': 'Settlement with New York Attorney '
'General',
'regulations_violated': ['New York state data '
'security laws',
'HIPAA (implied)']},
'response': {'enhanced_monitoring': 'Network monitoring systems to detect '
'anomalous activity',
'remediation_measures': ['Comprehensive information security '
'program',
'Policies to limit access to sensitive '
'information',
'Multi-factor authentication for remote '
'network access',
'Encryption of collected, stored, and '
'transmitted data',
'Network monitoring systems to detect '
'anomalous activity',
'Annual risk assessments to identify '
'security vulnerabilities']},
'title': 'OrthoNY Data Breach Settlement',
'type': 'Data Breach'}