Excelsior Orthopaedics and Buffalo Surgery Center have agreed to pay $2.4 million to settle a class-action lawsuit over a data breach that exposed sensitive health information for approximately 357,000 people. The settlement, which includes up to $5,000 in individual reimbursement for out-of-pocket losses, two years of complimentary credit monitoring, and mandatory security upgrades, represents one of several healthcare data breach settlements reaching consumers in 2026. This agreement resolves claims that the Amherst, New York-based medical providers failed to adequately protect patient records, which were compromised when unusual network activity was detected in June 2024.
The breach exposed a significant range of personal information including names, Social Security numbers, driver’s license and state ID numbers, passport numbers, dates of birth, biometric information, diagnoses, financial account details, health insurance information, and prescription records. Patients were notified in two waves—in August 2024 and again in December 2024—creating a timeline of uncertainty that lasted months. This article explains who is eligible for compensation, how to file a claim, what the credit monitoring covers, and what security changes the settlement requires Excelsior and Buffalo Surgery Center to implement going forward.
Table of Contents
- What Information Was Exposed in the Excelsior Orthopaedics Data Breach?
- How Many People Are Affected and When Were They Notified?
- What Compensation and Benefits Are Available in the Settlement?
- How Do You File a Claim for Reimbursement in This Settlement?
- What Does the Credit Monitoring Cover and How Long Does It Last?
- What Security Changes Must Excelsior Orthopaedics Implement?
- When Will the Settlement Be Final and What Happens Next?
- Conclusion
- Frequently Asked Questions
What Information Was Exposed in the Excelsior Orthopaedics Data Breach?
The compromised data set from the excelsior breach is unusually comprehensive, containing not just basic identity information but deeply sensitive health and financial records. For someone who received treatment at these facilities for an orthopedic condition, their exposure likely includes their diagnosis (such as a knee reconstruction or spinal surgery), their health insurance provider information, and potentially their prescription records for post-operative pain management or physical therapy medications. This combination of health data, financial account information, and government-issued IDs creates a heightened risk for identity theft and medical fraud.
The presence of biometric information in the exposed dataset is particularly concerning because, unlike a stolen social Security number or password that can be changed, biometric data cannot be easily replaced. A person whose fingerprints or other biometric identifiers were exposed would need to consider whether they might face future complications if a criminal used this data to fraudulently access other systems or services that rely on biometric verification. The scope of this breach is wider than many healthcare data incidents because it touches healthcare records, government identification, and financial information simultaneously.
How Many People Are Affected and When Were They Notified?
Approximately 357,000 individuals are included in the class action settlement, making this a large-scale breach affecting tens of thousands of patients across Excelsior Orthopaedics’ service area in western new York. The staggered notification timeline—first in August 2024 and again in December 2024—meant that some patients learned about the breach months after the unauthorized access occurred, leaving them with an extended window of vulnerability before they could take protective steps like freezing their credit.
This delayed notification pattern is common in healthcare breaches because organizations often take several months to investigate the scope of the breach, identify affected individuals, and prepare notification materials. However, if you received an August notification but did not follow up on it, the December 2024 notification would have served as a second opportunity to enroll in the two-year credit monitoring benefit and begin taking protective measures. If you do not recall receiving either notification, you can verify your eligibility by checking the official settlement website at excelsiordatasettlement.com, which maintains an updated list of eligible individuals.
What Compensation and Benefits Are Available in the Settlement?
The settlement provides three main forms of compensation and protection: direct monetary reimbursement, credit monitoring, and security improvements. For direct payments, eligible individuals can receive up to $5,000 to reimburse out-of-pocket losses that are directly tied to the data breach—such as fraudulent charges, credit monitoring services you paid for separately, or expenses from identity theft recovery. This is not automatic; you must submit documentation of actual losses through the settlement claims process.
All affected individuals are eligible for two years of complimentary credit monitoring services at no cost, which typically includes credit report monitoring, alerts for suspicious account openings, and access to a credit score. The monitoring begins automatically once enrolled and provides ongoing protection against the most common forms of identity theft. Additionally, the settlement mandates that Excelsior Orthopaedics and Buffalo Surgery Center implement additional data security measures, including improvements to their systems, policies, and practices to prevent similar breaches in the future. While this doesn’t directly put money in your pocket, it reduces the risk that your information could be compromised again through the same vulnerabilities that led to the original breach.
How Do You File a Claim for Reimbursement in This Settlement?
To claim the up to $5,000 reimbursement for out-of-pocket losses, you must submit a claim through the official settlement website at excelsiordatasettlement.com, which processes all claims and verifies eligibility. The process requires you to provide documentation of actual expenses caused by the breach—for example, receipts for credit monitoring services you purchased, credit report fees, or documentation of fraudulent charges and your recovery efforts. You cannot simply claim $5,000 without evidence; the settlement administration will review each claim to confirm the losses are directly connected to the breach.
The deadline for submitting claims is typically several months after the final approval hearing scheduled for July 8, 2026. This means you will have a concrete deadline to file if you want to pursue reimbursement. If you have no out-of-pocket losses to claim, you are still entitled to the two-year credit monitoring benefit without taking any action—it enrolls automatically. However, keeping documentation of any identity theft or fraudulent activity that occurs is important; if you discover fraudulent charges months after the breach, you will need evidence to support a claim for reimbursement.
What Does the Credit Monitoring Cover and How Long Does It Last?
The two-year credit monitoring benefit is designed to catch the most common form of identity theft: fraudulent credit accounts opened in your name. The service typically monitors all three major credit bureaus (Equifax, Experian, and TransUnion) for new accounts, significant inquiries, or changes to existing accounts. You will receive alerts if someone attempts to open a credit card, auto loan, or other credit product using your identity, which gives you time to dispute the fraudulent application before it becomes a major problem. However, credit monitoring does not prevent identity theft—it detects it after it has already occurred.
If a criminal uses your Social Security number to open an account and the fraudulent creditor doesn’t report to the credit bureaus for several weeks, you might not be notified immediately. Additionally, some forms of identity theft don’t show up on credit reports at all, such as fraudulent use of your health insurance information to obtain medical services or medications. For comprehensive protection during the two-year monitoring period, you should also consider a credit freeze, which prevents creditors from accessing your credit report entirely unless you temporarily unfreeze it before applying for legitimate credit. A credit freeze is free and requires action with each of the three credit bureaus separately.
What Security Changes Must Excelsior Orthopaedics Implement?
As part of the settlement, Excelsior Orthopaedics and Buffalo Surgery Center must implement additional data security measures to protect patient information going forward. These requirements typically include upgrading encryption standards, implementing stronger access controls so that only employees who need patient information can access it, conducting regular security audits and penetration testing, and improving employee training on data security practices. The healthcare industry has moved toward stricter standards for protecting patient data following major breaches like this one, and mandatory security improvements in settlements help drive these changes across the healthcare sector.
For patients, the security improvements mean that future medical information at these facilities will be protected by stronger technical safeguards and organizational policies. However, these improvements are mandated retroactively, meaning they should have been in place before the June 2024 breach occurred. The unusual network activity that led to the discovery of the breach suggests that the original security measures were insufficient to prevent unauthorized access or detect it quickly enough to minimize exposure.
When Will the Settlement Be Final and What Happens Next?
The final approval hearing for this settlement is scheduled for July 8, 2026, at which point a judge will review whether the settlement is fair, reasonable, and adequate for the affected class members. Until that date, the settlement is preliminary, and there is a possibility—though typically small—that the judge could reject it and require additional negotiation. After final approval, claims will open for a specific period (usually 60-90 days), during which affected individuals can submit requests for reimbursement of out-of-pocket losses.
The credit monitoring enrollment will begin shortly after final approval, and individuals will receive instructions on how to activate their two-year monitoring benefit. For most people affected by this breach, the path forward is straightforward: enroll in the free credit monitoring, document any suspicious activity or fraudulent charges, and file a claim only if you have documented out-of-pocket losses directly caused by the breach. Keeping records of when you received breach notifications and what protective steps you took will be helpful if you later need to dispute fraudulent activity or support a claim for losses.
Conclusion
The $2.4 million settlement with Excelsior Orthopaedics and Buffalo Surgery Center addresses a significant healthcare data breach affecting 357,000 people in western New York. Eligible individuals can receive up to $5,000 in reimbursement for documented out-of-pocket losses, two years of complimentary credit monitoring, and the assurance that future security improvements will protect their information. The settlement becomes final on July 8, 2026, after which the claims filing period will open.
To protect yourself after this breach, enroll in the offered credit monitoring as soon as it becomes available, monitor your credit reports for suspicious activity, and consider placing a credit freeze with the three major credit bureaus for an additional layer of protection. If you have documented out-of-pocket expenses or fraudulent charges related to the breach, gather that documentation to support a claim for reimbursement. For the most current information on claim filing deadlines and the enrollment process, visit the official settlement website at excelsiordatasettlement.com.
Frequently Asked Questions
Do I automatically get the $5,000 from the settlement?
No. The $5,000 reimbursement is available only if you have documented out-of-pocket losses directly caused by the breach, and you must submit a claim with supporting documentation. The two-year credit monitoring, however, enrolls automatically.
If I was notified in August but didn’t act on it, can I still participate in December 2024?
Yes. The December 2024 notification was sent to ensure that everyone received information about the breach and had the opportunity to enroll in credit monitoring and file a claim. You are eligible regardless of which notification you received.
What happens after the July 8, 2026 final approval hearing?
After final approval, the claims filing window will open for eligible individuals to submit reimbursement requests. The exact deadline will be announced after the hearing. Credit monitoring enrollment will begin shortly after.
Does credit monitoring prevent identity theft?
No. Credit monitoring detects unauthorized accounts and suspicious activity after it has occurred, which allows you to dispute fraudulent charges quickly. To prevent unauthorized credit access, consider pairing credit monitoring with a credit freeze, which you can place for free with each of the three credit bureaus.
What if I did not receive either the August or December 2024 notification?
You can verify your eligibility and status at excelsiordatasettlement.com. If you were a patient at Excelsior Orthopaedics or Buffalo Surgery Center during the relevant time period, you may still be eligible even if you didn’t receive the notification.
Are the security improvements guaranteed to prevent future breaches?
No. The mandated security improvements reduce the risk of future breaches, but no organization can guarantee that a breach will never occur. The improvements are designed to meet current industry standards and comply with HIPAA requirements for healthcare data protection.