In December 2025, the New York Attorney General announced a $500,000 settlement with OrthopedicsNY, LLP — an orthopedic medicine and surgery practice serving patients across New York’s Capital Region. The reason? A ransomware attack in late 2023 exposed the personal information of more than 650,000 patients and employees, including the Social Security numbers, driver’s license numbers, and passport numbers of roughly 110,000 people.
The painful part? State investigators concluded that the breach was largely preventable. OrthopedicsNY had left the door wide open with missing cybersecurity basics — the digital equivalent of leaving patient files on the sidewalk.
Let’s breaks down exactly what happened, what OrthopedicsNY failed to do, and most importantly, what any healthcare organization can do right now to avoid the same fate.
What Happened: The Breach in Plain English
On or around December 28, 2023, a ransomware group known as INC Ransom broke into OrthopedicsNY’s computer network using stolen login credentials — meaning they had a valid username and password that let them walk right in as if they were a legitimate employee.
Once inside, the attackers did two things:
- They stole files — downloading sensitive patient and employee data onto their own systems.
- They encrypted files on the network — locking OrthopedicsNY out of its own data and issuing a ransom demand to restore access.
The data exposed included health records, insurance information, and for more than 110,000 individuals, highly sensitive government-issued ID information. That last category is especially serious because it can enable long-term identity theft that victims may not discover for years.
| TIMELINE | OrthopedicsNY waited nearly ten months before notifying affected patients. Under HIPAA’s Breach Notification Rule (45 CFR §164.404), covered entities must notify individuals without unreasonable delay, and in no case later than 60 calendar days after discovering a breach. The HHS Breach Notification Rule guidance makes this obligation unambiguous. |
What the Investigation Found: The Security Gaps
The New York Attorney General’s investigation didn’t find complex or exotic failures. It found basic cybersecurity protections that were simply never put in place. Here are the two primary findings:
1. No Multi-Factor Authentication (MFA) on Remote Access
Multi-factor authentication (MFA) is the security feature that asks for a second form of verification — beyond just a password — when someone tries to log in. OrthopedicsNY had not enabled MFA for remote access to its network. That meant when attackers obtained an employee’s login credentials, they could simply log in. No second hurdle. No alert. No block.
| CONTEXT | According to Microsoft’s published security research, MFA can block over 99.9% of account compromise attacks. The February 2024 Change Healthcare ransomware attack — which cost UnitedHealth Group over $1.5 billion and also occurred because a critical remote access portal lacked MFA — was confirmed in congressional testimony by UnitedHealth’s CEO. |
2. Patient and Employee Data Was Not Encrypted
Encryption is the process of scrambling data so that it becomes unreadable to anyone without the decryption key. OrthopedicsNY stored patient data without encryption. That meant once the attackers gained network access, they could simply open and copy the files. There was nothing to stop them from reading or downloading whatever they found.
What OrthopedicsNY Should Have Done Differently
This is the most important section of this post — because the same vulnerabilities that exposed OrthopedicsNY exist at thousands of healthcare organizations across the country. Here is a practical breakdown of the preventive measures that would have materially changed the outcome.
Step 1: Turn On Multi-Factor Authentication — Everywhere
This is the single highest-impact action any organization can take. MFA should be enabled for all remote access points (VPNs, remote desktop tools, cloud systems), email accounts, and any third-party applications that store or access sensitive information. Most enterprise platforms — Microsoft 365, Google Workspace, and major EHR systems — include MFA as a built-in feature. For many organizations, it is simply a matter of turning it on and training staff to use it.
| ACTION ITEM | Audit every remote access point in your organization this week. If MFA is not enabled on any of them, treat it as a critical vulnerability requiring immediate remediation. Microsoft’s own research confirms it is the single most effective credential-based attack countermeasure available. |
Step 2: Encrypt Sensitive Data at Rest and in Transit
Encryption should be applied when data is stored (‘at rest’) and when it is sent across a network (‘in transit’). The HIPAA Security Rule’s technical safeguards (45 CFR §164.312) address encryption requirements for ePHI. The practical outcome: even if an attacker gains network access, they cannot read or use data that is properly encrypted without the corresponding decryption key.
Notably, HHS’s December 2024 proposed update to the HIPAA Security Rule would make encryption of ePHI at rest and in transit a mandatory requirement — eliminating the current ‘addressable’ flexibility that allowed some organizations to sidestep it. The full proposed rule was published in the Federal Register on January 6, 2025; the final rule is pending.
Step 3: Conduct Annual Risk Assessments
HIPAA has required covered entities to conduct security risk assessments since the Security Rule took effect. Under 45 CFR §164.308(a)(1), covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS’s dedicated risk analysis guidance elaborates on what a compliant assessment must include. Yet the AMA notes that failure to conduct adequate risk assessments remains one of the most commonly cited violations in enforcement actions.
A good risk assessment answers questions like: Where is our most sensitive data stored, and who has access to it? What would happen if an employee’s credentials were stolen? Have we tested our systems against known attack methods recently? Are there any systems that are out of date or no longer supported?
As part of its settlement, OrthopedicsNY is now required to conduct annual risk assessments — a requirement it apparently was not adequately meeting before the breach.
Step 4: Implement Access Controls and the Principle of Least Privilege
Not every employee needs access to every patient record. The ‘principle of least privilege’ means giving users access only to the data they need for their specific job. HIPAA’s workforce security standard (45 CFR §164.308(a)(3)) requires organizations to implement procedures ensuring workforce members have only appropriate access to ePHI.
When attackers used compromised credentials to enter OrthopedicsNY’s network, they were able to move laterally through systems. Tight access controls would have contained the blast radius — limiting what an attacker could reach even after gaining initial entry.
| ACTION ITEM | Review user access levels across your organization. Revoke access to systems and data that employees no longer need for their current role. This is especially important for former employees and vendors. |
Step 5: Set Up Network Monitoring and Anomaly Detection
The HIPAA Security Rule’s information system activity review standard (45 CFR §164.308(a)(1)(ii)(D)) requires organizations to regularly review records of information system activity, such as audit logs and access reports. A network monitoring system designed to flag unusual activity — a sudden spike in data downloads, logins from unusual locations, or access at odd hours — could have triggered an alert far earlier in the attack chain.
Step 6: Have a Breach Response Plan — and Test It
OrthopedicsNY waited nearly ten months to notify affected patients. HIPAA’s Breach Notification Rule (45 CFR §164.404(b)) makes this unambiguous: notification must occur without unreasonable delay and no later than 60 calendar days after the breach is discovered — and some state laws impose even shorter timelines.
Every organization handling sensitive health data should have a documented incident response plan that includes: clear timelines for internal escalation; a defined process for scoping the incident; legal and compliance review; and pre-drafted notification templates. Knowing these obligations before a breach occurs — not during one — is critical.
The Cost of Doing Nothing: A Simple Comparison
| Cost of Prevention | Cost of the Breach |
|
|
The Bigger Picture: A Pattern of Enforcement
OrthopedicsNY is not an isolated case. New York Attorney General Letitia James has made healthcare data security a stated enforcement priority, and this settlement is part of a broader pattern of actions against organizations that fail to meet basic cybersecurity standards.
State attorneys general across the country are similarly expanding their enforcement of healthcare data security. The regulatory environment is tightening, and organizations that treat cybersecurity as optional overhead are increasingly finding themselves in the crosshairs.
The Bottom Line
The OrthopedicsNY breach was not the result of a sophisticated nation-state cyberattack. It was the result of missing fundamentals: no MFA, no encryption, and inadequate monitoring. More than 650,000 people had their most sensitive personal information exposed because of those gaps.
The settlement terms OrthopedicsNY is now required to implement — MFA, encryption, risk assessments, access controls, and network monitoring — are things that should have been standard operating procedure long before the breach occurred. For any healthcare organization reading this: the time to address these gaps is not after regulators come calling. It’s now.
