Individuals whose personal information was compromised in the Excelsior Orthopaedics and Buffalo Surgery Center data breach may be eligible to claim up to $5,000 plus two years of credit monitoring from a $2.4 million class action settlement.
If your personal information was caught up in the Excelsior Orthopaedics data breach, there is a settlement with your name on it. Excelsior Orthopaedics and Buffalo Surgery Center agreed to resolve a class action lawsuit stemming from a cybersecurity incident discovered in June 2024 that may have exposed the personal information of approximately 389,000 current and former patients.
The companies deny any wrongdoing but chose to settle rather than face a drawn-out trial. The result: real money available to people who were affected – and you don’t need a lawyer or extensive paperwork to get it.
Who can file a claim?
Individuals must meet the following criteria:
- They are a living natural person residing in the United States.
- Their personal information was potentially compromised in the data breach discovered on or about June 24, 2024.
- They received a data breach notification from Excelsior Orthopaedics or Buffalo Surgery Center.
Were you affected by the Excelsior Orthopaedics data breach? You could be owed money.
Check My EligibilityHow much can class members receive?
Class members can claim several types of awards, depending on their circumstances and the documentation they provide:
- Documented loss reimbursement: Up to $5,000 for documented, unreimbursed out-of-pocket expenses incurred as a result of the data breach – bank fees, credit monitoring costs, credit freeze charges, phone and data charges, postage, gasoline for related errands, and similar expenses. Requires documentation such as receipts, bank statements, or credit card statements.
- Pro rata cash payment: A share of the remaining settlement fund distributed equally among all valid claimants who do not submit documented loss claims. No documentation required beyond the Unique ID and PIN from your notice.
- Credit monitoring: Two years of free three-bureau credit monitoring with identity theft insurance. No documentation required.
How to claim a data breach payment
Class members can submit the online claim form at the official settlement website or download and mail the PDF claim form to the settlement administrator. The claim deadline is June 11, 2026.
Excelsior Incident Settlement Administrator, c/o Epiq Global, PO Box 6484, Portland, OR 97228-6484
What proof or documentation is necessary to submit a claim?
- All claimants must provide the Unique ID and PIN from the settlement notice they received.
- Claimants filing for documented losses must provide documentation such as receipts, invoices, bank or credit card statements showing fraudulent charges, police reports, or proof of identity theft.
- Claimants filing for the pro rata cash payment do not need to provide documentation beyond their Unique ID and PIN.
- Claimants requesting credit monitoring do not need to provide documentation – an activation code is included with the settlement notice.
Payout options
- Electronic payment (via email)
- Paper check
Settlement fund breakdown
The $2.4 million settlement fund covers:
When is the Excelsior Orthopaedics data settlement payout date?
The settlement administrator will issue payments approximately 90 days after the court grants final approval of the settlement and completes claim processing. The final approval hearing is scheduled for July 8, 2026. No specific payout date has been announced – this is standard at this stage of the process.
Why did this class action settlement happen?
The class action lawsuit alleged Excelsior Orthopaedics and Buffalo Surgery Center experienced a cybersecurity incident discovered in June 2024 that potentially exposed the personal information of approximately 389,000 individuals. The plaintiffs claimed the defendants failed to adequately protect sensitive patient data including Social Security numbers, medical records, and financial information.
The defendants deny any wrongdoing but agreed to settle to avoid the uncertainty and expense of litigation.
Is the Excelsior Orthopaedics data breach settlement legitimate?
Yes – this is a fully court-supervised settlement. Here’s what confirms it:
- Case number: 812753/2024, filed in New York State Court
- Administrator: Epiq Global, an independent third party
- Official site: excelsiordatasettlement.com
- Notice: Sent directly by the administrator – not by Excelsior Orthopaedics
The settlement is pending final court approval at the July 8, 2026 hearing. Claims must be filed before June 11, 2026 – no payments will be issued before final approval.
How much will I actually receive from the Excelsior Orthopaedics settlement?
It depends on two things: what you claim and how many people file. The $2.4 million fund is split among all valid claimants after legal fees and administration costs.
- Pro rata cash payment (no docs needed) – a share of the remaining fund. Amount depends on total claims filed.
- Up to $5,000 (documented losses) – requires receipts, bank statements, or other third-party documentation of expenses related to the breach.
- Credit monitoring – two years of three-bureau monitoring with identity theft insurance, no documentation required, available to everyone.
With 389,000 affected individuals, not everyone will file. Filing early and providing documentation gives you the best chance of receiving a larger payout.
What actually happened in the Excelsior Orthopaedics data breach?
In June 2024, Excelsior Orthopaedics – a Buffalo, New York-based orthopedic practice – and its affiliated Buffalo Surgery Center experienced a cybersecurity incident that exposed personal information stored in their systems.
What was exposed: Names, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, biometric information, medical diagnoses, financial information, health insurance details, and prescription information.
What the lawsuit claims: That Excelsior Orthopaedics and Buffalo Surgery Center failed to implement adequate security measures to protect sensitive patient data, in violation of New York General Business Law and HIPAA.
What the defendants say: They deny any wrongdoing – but agreed to a $2.4 million settlement rather than face trial.
Why do companies settle data breach lawsuits even when they deny wrongdoing?
Settlement does not mean admission of guilt. Companies settle for practical reasons:
- Litigation is expensive – legal fees alone can exceed the settlement amount
- Trials are unpredictable – a verdict could result in a far larger payout
- Settling ends years of ongoing litigation and negative press
- For plaintiffs, it guarantees a payout rather than risking nothing at trial
Courts still review every class action settlement to confirm it’s fair and reasonable – that’s what the July 8, 2026 hearing is for. Denying wrongdoing while settling is standard practice and has no effect on your right to file a claim.