Excelsior Orthopaedics is notifying approximately 357,000 people that their personal and health information was compromised in a data breach resulting from a ransomware attack that came to light in June 2024.

A class action lawsuit was recently launched against Excelsior Orthopaedics, LLC, a New York-based provider of sports medicine and orthopaedic care, after it announced it was the victim of a June 2024 cyberattack that compromised identities of current and former patients and employees. The lawsuit alleges Excelsior was negligent in failing to secure it data according to required industry standards.

About Excelsior Orthopaedics

Operating several clinics in Amherst, New York, including the Buffalo Surgery Center and Northtowns Orthopaedics, Excelsior Orthopaedics is a healthcare company that specializes in orthopaedical treatment care.

What Happened?

According to the Data Breach Notice posted on its website, on  June 23,  2024,  Excelsior detected unusual  activity on  its  network and discovered that it was  the victim of a data security incident.  Upon discovery of this incident, Excelsior immediately took steps to contain the intrusion and  engage a specialized third-party cybersecurity  firm  to  help   secure the  environment  and   conduct  a  comprehensive  forensic investigation  into  the nature  and  scope of the incident.  Excelsior  also  engaged outside  data mining experts to conduct a thorough analysis of the compromised data and  identify affected individuals.  

In August 2024,  with the data  mining process ongoing,  Excelsior  mailed an  initial wave of notices  to a small  population  of affected  individuals  and  reported  the incident  to the U.S. Department of Health and  Human Services and  the Office for  Civil Rights. The  bulk  of data mining was  completed  in December  2024,  which identified  additional  individuals  for  purposes of notification.  Excelsior  mailed a second wave of notices  to patients  on  December  31,  2024. Efforts  to identify  affected  individuals are  ongoing,  and  any  remaining  affected individuals  will be notified  via  first  class  mail  as they are identified.

Initial results of the forensic investigation indicated that the incident resulted in the compromise of data relating to current and former patients and employees of Excelsior and its related entities, including the Buffalo Surgery Center and Northtowns Orthopaedics.

Ransomware group MONTI has reportedly claimed responsibility for the attack.

What Information was Compromised as a Result of the Breach?

Excelsior is still in the process of identifying the individuals and data impacted as a result of this incident. The types of data compromised include –

• demographic information,
• driver’s license number,
• medical information,
• health insurance information,
• financial  information.  
• Social Security number.

The compromised information varies among affected individuals and is specified in the What Information is Involved Section of the Notification Letters being mailed to affected individuals.

What is Excelsior Orthopaedics Doing to Protect My Identity?

Excelsior reports that it has taken steps to enhance its existing security including new tools to augment its security platform, redesigning key system and business processes and implementing enhanced system alerts to reduce response times. Excelsior is also improving security training and awareness campaigns designed to educate employees and business partners on security threats.

Excelsior is also offering 12 months complimentary credit monitoring and identity protection services to individuals affected by the breach.

What can Hackers Do With My Information?

Stolen PII and PHI can be used to commit identity theft, open new credit accounts, make unauthorized purchases or obtain loans. Cybercriminals have recently targeted America’s essential industries and in so doing have forced millions of Americans to face the fallout from these attacks.

Leaked or stolen data can be sold on the dark web forums and may be used for fraud and medical identity theft, a type of fraud, where threat actors use stolen information to submit forged claims to insurers.

Clients affected by the breach are exposed to a heightened and imminent risk of fraud and identity theft. They must now and in the future closely monitor their financial accounts to guard against identity theft and fraud.

If you receive a data breach notification from Excelsior Orthopaedics it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options at no cost to you. For more information, please review these recommendations.

Protect Your Identity. Join the Excelsior Orthopaedics Data Breach Class Action.

The lawsuit alleges that Excelsior Orthopaedics breached its duties under common law and the Federal Trade Commission Act to implement reasonable security measures, comply with industry standards and federal data-security regulations, encrypt sensitive data, and provide adequate and timely notice of the breach.

If you receive a notification letter from Excelsior Orthopaedics you are at permanent risk of identity theft and the devastating financial and legal consequences that go along with it.

You may be eligible to participate in a class action lawsuit to recover compensation for loss of privacy, time spent dealing with the breach, out-of-pocket costs, and more.

The lawsuit looks to cover anyone in the USA whose private information was compromised by the breach announced by Excelsior Orthopaedics on January 3, 2025.

Please complete the form shown on this page and a data breach attorney will contact you. There is no cost to you.

Tags: cyber attack   data breach   Data Privacy   Identity Theft   personal health information   Personal Identifying Information   ransomware