On the morning of June 23, 2024, Excelsior Orthopaedics’ IT staff discovered a problem with their network somewhere in Western New York. The term “unusual activity” has become a somber euphemism in 2024 for what is nearly always an ongoing ransomware attack. They hired an outside cybersecurity company. They looked into it. Approximately 389,000 people, both current and former patients, had their most private information entrusted to strangers when the extent of what had transpired became apparent. Their records were sitting quietly in databases they had no reason to think about.
The attack has been attributed to the ransomware group MONTI. Security researchers have been following MONTI since at least 2022. They are a particularly effective group that is prepared to make stolen data public if ransom demands are not fulfilled. MONTI is exposed to more than just names and email addresses when it enters a healthcare network. This type of information, which includes diagnoses, prescription records, biometric data, Social Security numbers, passport numbers, financial account details, and health insurance policy information, is shared by patients with their doctors under the presumption that it will never leave the building. In this instance, all of it might be reachable. Patients who trusted Excelsior Orthopaedics with that information learned about it gradually; some received breach notices in August 2024, others didn’t until December, and still others didn’t find out about the Buffalo Surgery Center connection until a notice appeared on the organization’s website on January 3, 2025. It’s worth putting up with the six-month wait between breach discovery and some notifications.
| Category | Details |
|---|---|
| Case Name | Szucs, et al. v. Excelsior Orthopaedics, LLP, et al. |
| Case Number | 812753/2024 |
| Defendants | Excelsior Orthopaedics, LLP & Buffalo Surgery Center, LLC |
| Location | Buffalo / Western New York, USA |
| Breach Discovery Date | June 23–24, 2024 |
| Initial Disclosure | August 2024 |
| Buffalo Surgery Center Notice | January 3, 2025 |
| Lawsuit Filed | February 10, 2026 |
| Settlement Amount | $2,400,000 |
| Preliminary Approval | February 10, 2026 |
| Individuals Affected | Approximately 389,000 current and former patients |
| Responsible Threat Actor | MONTI ransomware group (claimed responsibility) |
| Data Compromised | Names, SSNs, dates of birth, driver’s licenses, passport numbers, biometric data, medical records, diagnoses, health insurance info, financial information, prescription info |
| Max Individual Payout | Up to $5,000 (documented losses) |
| No-Proof Payment | Pro-rated cash amount (no documentation required) |
| Free Credit Monitoring | 2 years, three-bureau (automatic, no claim required) |
| Claim Deadline | June 11, 2026 |
| Final Approval Hearing | July 8, 2026 |
| Settlement Website | ExcelsiorDataSettlement.com |
| Laws Cited | HIPAA; New York General Business Law; FTC Act |
A $2.4 million class action settlement between Excelsior Orthopaedics and the Buffalo Surgery Center, both located in Western New York, was preliminary approved in February 2026. All current U.S. citizens whose data may have been compromised in the hack—roughly 389,000 people—are covered by the settlement. Following final approval, each class member is automatically eligible for two years of three-bureau credit monitoring and identity theft insurance, which will take effect without the need to file a claim. The settlement offers up to $5,000 in reimbursement for individuals who had documented financial losses, such as bank fees, credit monitoring expenses, time spent handling fraudulent charges, or the cost of replacing a driver’s license or government ID, as long as appropriate documentation is provided. After all other distributions have been made, those without documentation may apply for a prorated cash payment from whatever is left in the fund. The deadline for submitting claims is June 11, 2026.
The particular list of data that was exposed in this breach is telling. There is a certain intimacy in the records of orthopedic practices. When a patient comes in for a procedure that typically costs tens of thousands of dollars, such as a knee replacement or a torn rotator cuff, they share diagnosis codes, surgical history, prescription details, insurance coverage, and frequently financial information linked to payment plans. That is not the same as your credit card number being lost by a retailer, which is a terrible situation in and of itself. A ransomware group appears to have broken into a single network containing identity documents, medical histories, and physical conditions without setting off an automated alarm. The settlement documents don’t fully address concerns regarding Excelsior’s security posture prior to June 2024 because the breach was found by employees who noticed “unusual activity” rather than by automated defense systems.
Over the past few years, ransomware attacks have most likely targeted the healthcare sector. There is no mystery to the reasons. More personally identifiable information about each patient can be found in medical records than in nearly any other type of data. The infrastructure used by healthcare organizations is often outdated. Despite having equally sensitive data, small and mid-sized practices, such as orthopedic groups, surgery centers, and specialty clinics, frequently lack the cybersecurity budgets of large hospital systems. Experts have been outlining a pattern in conference rooms and congressional hearings for years, and the Excelsior breach, which affected a regional orthopedic practice and its affiliated surgery center in Buffalo, fits that pattern. There has been no slowdown in the pattern. It has, if anything, accelerated.
The Excelsior settlement’s future demands on the company are often overlooked in favor of the monetary amount. Excelsior has committed to implementing security improvements to better safeguard patient data as part of the agreement. It remains to be seen if those improvements are broad commitments that meet a settlement requirement without significantly altering the underlying infrastructure, or if they are specific, auditable, and truly consequential. Technical requirements are rarely specified in great detail in settlements of this kind because civil litigation isn’t really meant to produce that kind of outcome. It does, however, result in financial accountability after the fact, which in this instance amounts to about $6.15 per potentially impacted patient. This figure captures the legal resolution but says very little about the true cost of having your passport information, Social Security number, and medical records in the wrong hands.
Watching these cases go through the system—breach, investigation, lawsuit, settlement, credit monitoring, repeat—makes it difficult not to feel quietly frustrated. The deadline for filing a claim is June 11, 2026. The practical route is simple for former Excelsior Orthopaedics and Buffalo Surgery Center patients who received a notice letter: go to ExcelsiorDataSettlement.com, use the ID and PIN from the notice, and file before the deadline. The more difficult question is why there isn’t a settlement website for an industry that handles some of the most private human data in the world.
