Case Overview: A $2.4 million settlement has been reached to resolve a class action data breach lawsuit against Excelsior Orthopaedics and Buffalo Surgery Center, following an incident that allegedly exposed the sensitive personal and medical information of patients.

Consumers Affected: Current and former patients of Excelsior Orthopaedics and Buffalo Surgery Center whose personal or medical data was compromised in the breach.

Court: To be confirmed upon review of final settlement documents.

Excelsior Orthopaedics and Buffalo Surgery Center Reach $2.4 Million Data Breach Settlement

Excelsior Orthopaedics and Buffalo Surgery Center have agreed to pay $2.4 million to settle a class action lawsuit stemming from a data breach that allegedly exposed the private information of patients at the New York-based healthcare providers. According to a report from the HIPAA Journal, the settlement resolves litigation brought by individuals who claim their sensitive data was left vulnerable due to inadequate security practices.

The settlement has not yet received final court approval. If approved, affected patients may be eligible to receive compensation from the settlement fund.

What the Plaintiffs Alleged

The class action complaint alleged that Excelsior Orthopaedics and Buffalo Surgery Center failed to implement reasonable and adequate cybersecurity measures to protect patient data. As a result of that alleged failure, the lawsuit claims unauthorized third parties were able to access systems containing patients' personally identifiable information (PII) and protected health information (PHI).

The types of data allegedly exposed in the breach are particularly sensitive in nature. Medical records and related health information carry heightened risk when compromised, as they can be used for identity theft, fraudulent insurance claims, and other forms of financial harm. The complaint alleged that affected individuals were placed at an elevated and ongoing risk following the incident.

The lawsuit further alleged that the organizations were slow to notify affected patients after discovering the breach, limiting individuals' ability to take timely protective action.

Who May Be Affected

The settlement class is expected to include current and former patients of Excelsior Orthopaedics and Buffalo Surgery Center whose personal or medical information was stored in the compromised systems at the time of the breach. Both organizations serve patients in the Buffalo, New York area, with Excelsior Orthopaedics operating as one of the region's larger orthopedic practices.

The exact number of individuals whose records were affected has not been publicly confirmed in available reporting. Healthcare data breaches of this nature, however, often impact thousands of patients given the volume of records maintained by medical providers.

The $2.4 Million Settlement Fund

Under the proposed settlement, the $2.4 million fund would be used to compensate eligible class members. Affected individuals may be eligible to submit claims for reimbursement of out-of-pocket losses tied to the breach — such as costs related to credit monitoring, identity theft remediation, or other documented expenses — as well as potential cash payments.

Settlement terms typically also include provisions for credit monitoring and identity protection services for class members, though the specific benefits available in this case should be confirmed through official settlement documentation once it becomes publicly available.

Neither Excelsior Orthopaedics nor Buffalo Surgery Center has admitted wrongdoing as part of the settlement agreement.

Why Healthcare Data Breaches Carry Significant Risk

Healthcare organizations are frequent targets of cyberattacks, in part because medical records contain a dense combination of information — names, addresses, dates of birth, Social Security numbers, insurance details, and clinical data — that can be exploited in multiple ways.

According to the U.S. Department of Health and Human Services, healthcare data breaches have increased significantly over the past decade, with large-scale incidents now reported on a near-weekly basis. Unlike financial account numbers, which can be changed after a breach, medical histories and Social Security numbers are permanent, leaving affected individuals exposed to long-term risk.

Federal law under HIPAA requires healthcare providers to implement administrative, physical, and technical safeguards to protect patient data and to notify affected individuals within 60 days of discovering a breach.

Related Cases

• Eye Physicians of Central Florida Data Breach Class Action Settlement
• Goldco Agrees to $2 Million Settlement Over Alleged Robotext TCPA Violations

Lawsuit: Plaintiffs v. Excelsior Orthopaedics and Buffalo Surgery Center

Case Number: To be confirmed

Court: To be confirmed

Plaintiffs' Attorney(s): To be confirmed upon review of court filing

Have you or a family member received care at Excelsior Orthopaedics or Buffalo Surgery Center? Share your experience in the comments below.

InjuryClaims.com reports on litigation developments for informational purposes only. Nothing in this article constitutes legal advice. Eligibility for any settlement or lawsuit is determined by attorneys and courts, not by this publication.