Orthopedics Rhode Island (Ortho RI) decided to settle a class action litigation over a 2024 ransomware attack for $2.9 million. Ortho RI discovered the ransomware attack on September 7, 2025 and started a forensic investigation, which confirmed unauthorized network access between September 4 and September 8, 2024. The incident resulted in the compromise of data including names, birth dates, addresses, billing and claims data, medical insurance claims data, diagnoses, prescription drugs, x-ray images, lab test results, and other treatment details. Ortho RI submitted the data breach report to the HHS’ Office for Civil Rights as affecting the protected health information (PHI) of 377,731 individuals because of unauthorized access. The impacted individuals received notifications concerning the incident through a website notice posted on November 6, 2024, as well as individual notifications sent on December 6, 2024. Ortho RI may need to conduct HIPAA training to address security problems.
Ortho RI faced seven class action lawsuits as a result of the data breach, but one was dismissed. Because of overlapping claims and similar facts, the six lawsuits were combined as the Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. lawsuit filed in Kent County Superior Court of the State of Rhode Island. The plaintiffs allege to have sustained injuries because of the attack, which include lost or reduced value of their personal information, lost opportunity costs linked to mitigating the effects of the data breach, and out-of-pocket losses connected to the prevention, monitoring and resolving identity theft and fraud. The lawsuit stated claims of negligence and negligence per se as a result of the inability to use good and proper cybersecurity measures, breach of fiduciary duty, unjust enrichment, and breach of implied contract.
Ortho RI stated claims of no wrongdoing; but, it opted to resolve the lawsuit to steer clear of the risks, costs, and uncertainty of ongoing lawsuit. The class representatives think the settlement is ideal for all people in the settlement class for similar reasons. The terms of the settlement gives all class members the eligibility to claim medical record monitoring services for two years and either of two cash payments. Class members may file a claim to reimburse documented, unreimbursed losses associated with the data breach as much as $5,000 per class member. Otherwise, class members can opt for another cash payment, which is estimated to be about $100. Claims will be paid using the settlement fund after deducting the attorneys’ fees, settlement management costs, medical record monitoring costs and service awards for class representatives.
The last day to file an objection to and exemption from the settlement is December 29, 2025. Class members can file their claims until January 13, 2026. The schedule of the final approval hearing is January 28, 2026.
