Excelsior Orthopaedics and Buffalo Surgery Center have agreed to pay $2.4 million to settle a data breach lawsuit affecting over 350,000 patients whose sensitive personal information was exposed. The settlement offers affected individuals up to $5,000 for documented out-of-pocket losses directly tied to the breach, along with two years of free credit monitoring services as an alternative option. This article explains what happened in the breach, who is eligible to claim compensation, what the settlement actually covers, and how to file your claim before the deadline.
The data breach occurred when both facilities experienced unusual network activity detected in June 2024, though patient notifications didn’t happen until August and December 2024. The lengthy delay between discovery and notification is not uncommon in healthcare data breaches, but it meant thousands of patients had their sensitive information at risk for months before they knew about it. The settlement was negotiated in a lawsuit brought by affected patients, and the defendants—Excelsior Orthopaedics in Amherst, New York and Buffalo Surgery Center in Buffalo, New York—have denied the allegations despite agreeing to the financial settlement.
Table of Contents
- What Information Did Excelsior Orthopaedics and Buffalo Surgery Center Expose?
- How Did the Breach Happen and Why Did It Take So Long to Notify Patients?
- Understanding the $2.4 Million Settlement Amount
- What Compensation Options Are Available to Affected Patients?
- Important Deadlines and the Final Approval Hearing
- Who Is Eligible to File a Claim?
- Next Steps for Patients Affected by This Data Breach Settlement
What Information Did Excelsior Orthopaedics and Buffalo Surgery Center Expose?
The data breach compromised an extensive range of highly sensitive information that hackers could use for identity theft and medical fraud. The exposed data included names, social Security numbers, driver’s license and state identification numbers, passport numbers, dates of birth, biometric information, medical diagnosis information, financial account information, health insurance information, and prescription details. For example, if a hacker obtained someone’s Social Security number, driver’s license number, and date of birth from this breach, they could potentially open fraudulent credit accounts or file false tax returns in that person’s name.
The combination of compromised data types makes this breach particularly dangerous. Many healthcare breaches expose medical information alone, but this incident exposed financial identifiers as well. An attacker with both your date of birth and Social Security number could impersonate you to a bank or insurance company with significant success, which is why the settlement includes two years of credit monitoring—it’s a recognition that identity theft risk extends beyond just medical fraud for several years after a breach.
How Did the Breach Happen and Why Did It Take So Long to Notify Patients?
The breach was discovered in June 2024 when both healthcare organizations detected unusual network activity indicating unauthorized access. However, notifications to affected patients weren’t sent until August 2024 for some individuals and December 2024 for others, a gap that allowed potential misuse of the exposed information for several months. This timeline is fairly typical in healthcare breaches, where organizations must investigate the scope of the compromise, determine which patients were affected, and prepare compliant notification letters—but the delay still leaves patients vulnerable during that window.
The question of why breaches take months to disclose is important: organizations need time to understand what was accessed, but delaying notification also means individuals can’t take preventive steps like freezing their credit. If you were notified in August or December 2024, your identity was potentially compromised since at least June 2024. This is why the settlement’s inclusion of free credit monitoring starting now is valuable—it provides some protection going forward, even if you can’t undo past exposure.
Understanding the $2.4 Million Settlement Amount
The $2.4 million settlement fund is divided among affected class members and their lawyers’ fees. The defendants are paying this amount despite denying the allegations, which is a settlement position common in healthcare breach litigation. The actual amount any individual receives depends on how many valid claims are submitted and how much compensation each person is entitled to based on documented losses.
For context, a $2.4 million settlement spread across 350,000 affected individuals sounds like relatively small compensation per person if everyone claimed an equal share—roughly $6.86 each. However, the settlement structure prioritizes those who can document actual out-of-pocket losses, so people who experienced identity theft or fraud receive substantially more, while others who suffered no concrete harm may receive less or opt for the credit monitoring instead. This structure means the settlement amount is not evenly distributed; it rewards documentation of actual damage.
What Compensation Options Are Available to Affected Patients?
Class members have two main compensation paths: a cash claim for out-of-pocket losses up to $5,000, or two years of free credit monitoring services. If you experienced fraud or identity theft related to the breach—such as unauthorized credit card charges, false medical claims filed in your name, or accounts opened fraudulently—you can document these losses and claim up to $5,000 in reimbursement. The claim must demonstrate that the loss was directly tied to the data breach and include supporting documentation like fraudulent transaction records or credit reports showing unauthorized accounts.
The credit monitoring option provides a different kind of value: it includes continuous monitoring of your credit file with three bureaus, alerts for suspicious activity, and potentially identity theft insurance. For someone who hasn’t experienced fraud but wants ongoing protection, two years of monitoring can cost $100-300 per year if purchased privately, making the settlement benefit worth $200-600 in protection. However, if you’ve already purchased credit monitoring through your own insurance or a credit card benefit, the settlement credit monitoring may be redundant. You need to evaluate which option provides actual benefit to your situation—high documented losses suggest a cash claim, while no fraud but concern about future risk suggests monitoring.
Important Deadlines and the Final Approval Hearing
The final approval hearing for this settlement is scheduled for July 8, 2026 at 10:00 a.m. This hearing is when a judge reviews the settlement terms and approves the compensation plan, making it official. Claims must typically be submitted before this date, though the specific claim deadline may be 30 to 60 days before the hearing depending on the claims administrator’s timeline. Missing the claims deadline means forfeiting compensation entirely.
One common misconception is that the final approval hearing is when claims begin being paid—it’s not. The hearing approves the settlement structure, and then claims processing begins. If you miss the deadline for submitting a claim, you cannot claim compensation even after the hearing occurs. Start gathering your documentation now if you believe you have out-of-pocket losses, and watch for official claim submission windows announced on the settlement website. Waiting until June 2026 to start collecting receipts and records could be too late.
Who Is Eligible to File a Claim?
You are eligible if you were a patient of either Excelsior Orthopaedics or Buffalo Surgery Center and your information was included in the data breach affecting 350,000+ individuals. This includes patients who received treatment at either facility during the period that was compromised, roughly prior to June 2024 when the breach was discovered. You don’t need to prove you suffered harm to be part of the class—merely being a patient whose data was exposed qualifies you.
However, eligibility requirements sometimes include residency restrictions or requirements to submit proof of your relationship to the affected healthcare providers. Review the official settlement website carefully to confirm you meet all eligibility criteria before investing time in documentation. Some settlements exclude certain individuals, such as deceased patients’ estates or people already receiving other settlements for related claims.
Next Steps for Patients Affected by This Data Breach Settlement
The most important action is to monitor the official Excelsior Data Settlement Website (excelsiordatasettlement.com) for claim submission instructions and deadlines. When the claims window opens, you’ll need to decide whether to pursue a cash claim, credit monitoring, or both if allowed. Start gathering documentation of any fraudulent activity now—include credit reports showing unauthorized accounts, transaction records from disputed charges, and medical bills or communications related to fraudulent claims filed in your name.
Going forward, place a fraud alert on your credit report (free and immediate), and consider freezing your credit if you’re particularly concerned about identity theft. These steps are more effective than waiting and monitoring, though the settlement’s free credit monitoring can provide additional oversight. The data breach affects an enormous number of people, so don’t expect processing to be lightning-fast once claims begin being accepted—budget extra time and patience when submitting your claim.
You Might Also Like
- Cardiovascular Consultants Data Breach Settlement Worth $3.85 Million Opens for Claims
- Claim Form Now Available in $3.85 Million Cardiovascular Consultants Data Breach
- Social Security Numbers Compromised in STRATeBEN Data Breach Disclosure
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: