Attorney General James Secures $500,000 from Capital Region Health Care Provider for Failing to Protect Patients’ Information

NEW YORK – New York Attorney General Letitia James today announced that her office has secured $500,000 in penalties from OrthopedicsNY, LLP (OrthopedicsNY) for failing to protect patients’ private information. OrthopedicsNY is an orthopedics medicine and surgery practice that operates clinics and surgery centers across the Capital Region. An investigation by the Office of the Attorney General (OAG) found that cyber-attackers were able to steal patient data because the health care practice did not properly protect its systems, exposing the information of more than 650,000 patients and employees. Today’s settlement requires OrthopedicsNY to pay $500,000 in penalties and significantly strengthen its data security to secure patient data. Impacted patients and employees were each offered one year of free credit score monitoring funded by OrthopedicsNY to protect against fraud.

“Patients entrust their health care providers with their personal information, and providers must honor that trust by ensuring their systems are secure,” said Attorney General James. “OrthopedicsNY failed to do its due diligence to protect patients’ private information. No patient deserves to have their information exposed and my office will continue to enforce the law to protect New Yorkers’ personal data.”

In 2023, attackers were able to gain remote access to OrthopedicsNY’s network using compromised login information. The attackers then downloaded unencrypted files containing sensitive private personal and health care information of approximately 656,000 individuals, including the social security numbers, driver’s license numbers, or passport numbers for approximately 110,000 individuals.  

The OAG’s investigation determined that prior to the breach, OrthopedicsNY had failed to implement reasonable data security practices designed to protect patients’ information. OrthopedicsNY to use multifactor authentication for remote access, encrypt sensitive patient data, and regularly conduct appropriate risk assessments, all measures that help protect data. 

As a result of today’s agreement, OrthopedicsNY will pay the state $500,000 in penalties and costs, and will fund credit monitoring services for all impacted individuals. OrthopedicsNY is also required to adopt measures to better protect patient information going forward, including:

• Maintaining a comprehensive information security program that ensures safeguards are in place to protect the security, integrity, and confidentiality of patients’ data;
• Establishing and implementing policies and procedures that appropriately limit access to patient and employee data;
• Implementing multi-factor authentication for remote access to its network;
• Encrypting patient and employee data that it collects, stores, transmits, and/or maintains;
• Establishing and maintaining a system designed to monitor networks and systems for anomalous activity; and
• Conducting annual risk assessments to identify anticipated internal and external risks to the security, confidentiality, or integrity of patient and employee data.

Today’s announcement continues Attorney General James’ efforts to hold companies accountable for their poor data security practices. Last month, Attorney General James announced her office had obtained $1,700,000 from Illuminate Education after sensitive student data was stolen in a breach.  In October 2025, Attorney General James announced her office secured $14,200,000 from eight car insurance companies for failing to protect the private information of more than 825,000 New Yorkers.  In March 2025, Attorney General James secured $975,000 from Root, an auto insurer, and sued Allstate for failing to protect New Yorkers’ information, causing respectively more than 45,000 and 165,000 New Yorkers’ information to be exposed.  In January 2025, Attorney General James announced her office obtained a $450,000 settlement with three companies that distributed home security video cameras for failing to secure consumers’ private home security videos. In December 2024, Attorney General James announced a $500,000 settlement with Noblr auto insurance for inadequate data security. 

This matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.