Excelsior Orthopaedics $2.4M Data Breach Settlement, Got a Notice? Here’s How to Claim Up to $5,000
Excelsior Orthopaedics LLP and Buffalo Surgery Center LLC agreed to pay $2.4 million to settle a class action lawsuit alleging they failed to protect the sensitive personal, medical, and financial information of approximately 357,000 patients and employees during a June 2024 cyberattack. If you received a breach notice from Excelsior Orthopaedics, Buffalo Surgery Center, or Northtowns Orthopaedics, you may qualify for up to $5,000 in documented losses, a pro rata cash payment, or two years of free three-bureau credit monitoring. The claim deadline is June 11, 2026.
Quick Facts
| Field | Detail |
| Settlement Amount | $2,400,000 |
| Claim Deadline | June 11, 2026 |
| Who Qualifies | U.S. residents whose personal information was potentially exposed in the June 2024 Excelsior Orthopaedics breach and received notice of the incident |
| Payout Per Person | Up to $5,000 (documented losses) OR pro rata cash share (no docs needed) |
| Proof Required | Yes — for documented loss claims; No — for pro rata cash and credit monitoring |
| Settlement Status | Preliminarily Approved — February 11, 2026 |
| Administrator | Epiq Global |
| Official Website | excelsiordatasettlement.com |
Current Status and What Happens Next
- Preliminarily approved February 11, 2026 — the court gave conditional approval and the claim portal is now live at excelsiordatasettlement.com.
- Opt-out deadline: May 17, 2026 — if you want to preserve your right to sue Excelsior Orthopaedics and Buffalo Surgery Center separately, you must submit your exclusion request before this date.
- Final approval hearing: July 8, 2026 at 10:00 a.m. ET — if the court grants final approval, Epiq Global will issue payments approximately 90 days after claim processing is complete or final approval is granted, whichever is later.
What Is the Excelsior Orthopaedics Data Breach Lawsuit About?
Excelsior Orthopaedics LLP is a Western New York orthopedic and sports medicine practice based in Amherst, New York, providing orthopedic surgery, physical therapy, and sports medicine services across multiple locations. Buffalo Surgery Center LLC is an affiliated ambulatory surgical center that relies on Excelsior for administrative and IT services. Northtowns Orthopaedics is another related Excelsior entity whose patient data was also stored on the affected network.
On June 23, 2024, Excelsior detected unusual activity on its computer network and discovered it had been the victim of a targeted cyberattack. An investigation with the help of a third-party cybersecurity firm confirmed that unauthorized parties had gained access to files containing the personal and protected health information of patients and employees. Excelsior publicly disclosed the breach on January 3, 2025 — more than six months after discovery — and began notifying the approximately 357,000 affected individuals at that time.
Plaintiff Szucs and other affected patients filed the class action lawsuit Szucs et al. v. Excelsior Orthopaedics LLP et al., Case No. 812753/2024, alleging Excelsior and Buffalo Surgery Center failed to implement adequate cybersecurity safeguards to protect the highly sensitive medical, financial, and personal information entrusted to them by patients seeking orthopedic care. Excelsior and Buffalo Surgery Center denied all allegations but agreed to the $2.4 million settlement to avoid the cost and uncertainty of continued litigation. As part of the settlement, both defendants also agreed to implement additional security measures going forward.
What Personal Information Was Exposed?
The June 2024 cyberattack potentially compromised an exceptionally wide range of sensitive personal and medical information. Your breach notice will specify which categories of your information were affected, but the breach may have included:
- Full names, addresses, and contact information
- Social Security numbers
- Driver’s license numbers and state identification numbers
- Passport numbers
- Dates of birth
- Biometric information
- Diagnosis and health information
- Prescription information
- Health insurance information
- Financial account information
The combination of medical records, Social Security numbers, biometric data, and financial account information in this breach creates significant risk of both medical identity theft and financial fraud. Medical identity theft — where someone uses your health insurance information to receive care, obtain prescriptions, or file fraudulent claims — can corrupt your medical records and take years to resolve. Enrolling in the free three-bureau credit monitoring benefit is strongly recommended regardless of which cash option you choose.
Who Is Eligible to File a Claim?
- You may qualify if you are a U.S. resident whose personal information was potentially accessible as a result of the June 2024 cyberattack involving Excelsior Orthopaedics LLP and Buffalo Surgery Center LLC.
- You may qualify if you received a breach notification letter or email from Excelsior Orthopaedics, Buffalo Surgery Center, or Northtowns Orthopaedics about this incident.
- You may qualify whether you were a current or former patient of any of these practices, or an employee whose personal information was stored on the affected network.
- You do not qualify if you did not receive a notice about this specific June 2024 breach.
Your settlement notice includes a unique ID and PIN required to file your claim online. If you believe you qualify but did not receive a notice, contact Epiq Global at 1-877-327-7791 or [email protected] well before the June 11, 2026 deadline.
Related article: Tower Engineering Professionals Washington Settlement, Applied for a Job Between 2022–2026? Claim Up to $1,259
How Much Can You Receive?
The settlement offers three benefit options. You can select the cash option that best fits your situation and also enroll in credit monitoring.
| Benefit Type | Maximum Amount | Proof Required |
| Documented Loss Payment | Up to $5,000 | Yes — receipts, bank/credit card statements, police reports, or other third-party proof |
| Cash Fund Payment (pro rata) | TBD — equal share of remaining fund | No |
| Credit Monitoring (2 years, 3-bureau) | Free — activation code in your notice | No — enroll after claim deadline using activation code |
Documented losses cover unreimbursed out-of-pocket expenses directly traceable to the data breach — including bank or credit card fees resulting from fraudulent charges, costs of credit monitoring or identity theft insurance, fees for freezing or unfreezing your credit, and postage costs for contacting financial institutions. You must submit supporting documentation such as receipts, bank or credit card statements showing fraudulent charges, or police reports.
The pro rata cash payment requires no documentation. All eligible class members who do not submit a documented loss claim can receive an equal share of the remaining settlement fund after fees and costs. The exact amount depends on the total number of valid claims submitted.
Credit monitoring requires no claim form at all — your settlement notice includes an activation code you can use to enroll in two years of free three-bureau credit monitoring after the claim deadline passes.
Settlement fund breakdown:
| Deduction | Amount |
| Attorneys’ fees | Up to $800,000 |
| Service awards to class representatives | Up to $2,500 each |
| Credit monitoring costs | Based on number of activations |
| Settlement administration costs | TBD |
| Cash payments to approved claimants | Remaining funds |
How to File a Claim
Step 1 — Locate your unique ID and PIN from the breach settlement notice Excelsior Orthopaedics or Epiq Global sent you by mail or email.
Step 2 — Visit the official claim portal at excelsiordatasettlement.com and log in with your unique ID and PIN to file online. Alternatively, download the PDF claim form from the same website to mail your submission.
Step 3 — Select your benefit option: documented loss payment or pro rata cash fund payment. You may also enroll in credit monitoring using your activation code after the claim deadline.
Step 4 — If claiming documented losses, upload your supporting documentation — receipts, bank or credit card statements showing fraudulent charges, police reports, or other third-party proof linking your expenses to the breach.
Step 5 — Submit your claim online or mail the completed paper form to: Excelsior Incident Settlement Administrator, P.O. Box 6484, Portland, OR 97228-6484. All claims must be submitted or postmarked by June 11, 2026.
Step 6 — Save your claim confirmation number or keep a copy of your mailed form. Once your payment arrives approximately 90 days after final approval, follow up with Epiq Global at 1-877-327-7791 if you have questions.
Estimated time to complete: 5 minutes for the pro rata cash claim; 15–25 minutes if uploading documentation for a documented loss claim.
Important Deadlines and Dates
| Milestone | Date |
| Breach Discovered | June 23–24, 2024 |
| Public Breach Disclosure and Notifications Sent | January 3, 2025 |
| Lawsuit Filed (Szucs et al. v. Excelsior Orthopaedics LLP et al.) | 2024 |
| Settlement Preliminary Approval | February 11, 2026 |
| Opt-Out Deadline | May 17, 2026 |
| Objection Deadline | May 17, 2026 |
| Claim Filing Deadline | June 11, 2026 |
| Final Approval Hearing | July 8, 2026 at 10:00 a.m. ET |
| Expected Payment Date | Approximately 90 days after final approval or completion of claim processing |
Frequently Asked Questions
Do I need a lawyer to file a claim in this settlement?
No. You can file your claim directly at excelsiordatasettlement.com without hiring an attorney. Class counsel already represents all class members at no individual cost. If you want independent legal advice about your specific situation, you may hire your own attorney at your own expense. Contact Epiq Global at 1-877-327-7791 or [email protected] with questions.
Is this Excelsior Orthopaedics settlement legitimate?
Yes. The settlement, Szucs et al. v. Excelsior Orthopaedics LLP et al., Case No. 812753/2024, is a court-supervised class action. The court entered the preliminary approval order on February 11, 2026. The official settlement website is excelsiordatasettlement.com, administered by Epiq Global. You can also verify information by calling 1-877-327-7791 or emailing [email protected].
When will I receive my payment?
The final approval hearing is scheduled for July 8, 2026. Epiq Global will issue payments approximately 90 days after it completes claim processing or the court grants final approval, whichever is later. Given this timeline, most claimants can expect payments in late 2026.
What if I miss the June 11, 2026 claim deadline?
If you do not file a claim by June 11, 2026, you will not receive any cash payment from this settlement. You will still be bound by the settlement’s release of claims against Excelsior and Buffalo Surgery Center unless you opted out before May 17, 2026. File your claim as early as possible — do not wait until the last day.
Will this settlement payment affect my taxes?
Settlement payments may count as taxable income depending on the nature of the compensation and your individual tax situation. Epiq Global will issue appropriate tax documentation if required. Consult a qualified tax professional to understand how to report any payment you receive.
Why did Excelsior wait six months to notify patients about the breach?
Excelsior discovered unusual network activity on June 23, 2024, but did not publicly disclose the breach or send patient notifications until January 3, 2025 — more than six months after discovery. Extended breach investigations are not uncommon as organizations work to determine the full scope of exposed data, but the delay limited the time patients had to protect themselves. The lawsuit highlighted this notification delay as a factor contributing to patient harm.
What is biometric information and why is it especially sensitive in this breach?
Biometric information includes unique physical identifiers like fingerprints, retinal scans, or facial recognition data. Unlike a Social Security number or financial account — which can be changed or replaced — biometric data is permanent and cannot be reset. Its inclusion in this breach makes it particularly concerning for affected patients. If you believe your biometric data may have been exposed, consider monitoring any accounts or services where you use biometric authentication and contact Epiq Global for more information.
Does this settlement cover Northtowns Orthopaedics patients?
Yes. Northtowns Orthopaedics is a related Excelsior entity, and patient data stored on Excelsior’s network on behalf of Northtowns was also potentially accessible in the breach. If you received a breach notification from Northtowns Orthopaedics about this incident, you are a class member and may file a claim under the same settlement terms as Excelsior and Buffalo Surgery Center patients.
Sources and References
- Official Settlement Website — excelsiordatasettlement.com
- Settlement FAQ — excelsiordatasettlement.com/Home/FAQ
- Official Class Notice PDF
- Excelsior Orthopaedics Official Breach Notice — January 3, 2025
Western New York patients whose information was also exposed in a separate local healthcare data breach may want to review the General Physician P.C. $2.5 million data breach settlement — also based in Buffalo, New York — with a claim deadline of May 27, 2026. Patients whose health insurance information and Social Security numbers were exposed in a similar orthopedic or surgical center breach should also check the Signature Performance $8.5 million data breach settlement covering patients of Adventist Health and UNC Health Southeastern with a claim deadline of May 7, 2026.
Last Updated: March 18, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah