Active breach tracker Amherst, New York Disclosed January 4, 2025

Buffalo Surgery Center Data Breach 2025: 64,000 Patients Exposed in Excelsior Orthopaedics Monti Ransomware Attack. $2.4M Settlement. What To Do.

Buffalo Surgery Center filed with HHS OCR on January 4, 2025, reporting 64,000 affected patients from a June 23, 2024 ransomware attack on parent Excelsior Orthopaedics, LLP. The Monti ransomware group claimed responsibility and posted the stolen data on its leak site. Exposed information included Social Security numbers, driver's license numbers, medical and health insurance details, and financial data. A $2.4 million class settlement (Szucs et al. v. Excelsior Orthopaedics) received preliminary approval; final fairness hearing is July 8, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 18, 2024

Unauthorized access to Excelsior Orthopaedics' network begins — per Maine AG filing, the intrusion window ran from June 18 to June 27, 2024

Jun 23, 2024

Excelsior Orthopaedics detects unusual activity on its network and begins incident response; external network access disconnected

Jun 23, 2024

Attacker gained access

Jul 1, 2024

Monti ransomware group added Excelsior to its Tor leak site and claimed responsibility for the attack

Aug 1, 2024

First wave of individual notification letters mailed by Excelsior Orthopaedics (notifications ran through August 26, 2025 across multiple waves)

Dec 1, 2024

Putative class actions filed against Excelsior Orthopaedics and Buffalo Surgery Center; later consolidated as Szucs et al. v. Excelsior Orthopaedics, LLP et al., Index No. 812753/2024 (Sup. Ct. N.Y., Erie County)

Dec 31, 2024

Second wave of notifications mailed after the scope of compromised patient information was expanded to include additional Buffalo Surgery Center records

Jan 4, 2025

Buffalo Surgery Center filed a Hacking/IT Incident report with HHS OCR — 64,000 individuals affected, Network Server

Jan 7, 2025

Excelsior Orthopaedics filed notice with Maine Attorney General; 394,752 total individuals affected, 24 Maine residents; 12 months of credit monitoring through CyberScout (TransUnion) offered

Jul 30, 2025

Excelsior's forensic review of the full scope of compromised information completed

Mar 20, 2026

$2.4 million class settlement announced; preliminary approval granted

May 17, 2026

Objection and exclusion deadline for class members

Jun 11, 2026

Claims submission deadline

Jul 8, 2026

Final fairness hearing scheduled before Hon. Catherine Nugent Panepinto

Data exposed

01

High-risk identity

Enables financial + identity theft

Demographic information (address, date of birth) Social Security number Driver's license number Passport number Biometric information

02

Health records

Don't expire and can't be reissued

Medical information (diagnoses, treatment details, medical record numbers)

03

Contact & insurance

Phishing + targeted scams

Full name State identification number Health insurance information (plan, member ID, group ID) Financial information (banking or payment fields)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Ahdoot & Wolfson, PC (class counsel — Andrew W. Ferich) Sterlington PLLC (class counsel — Arturo Peña) Siri & Glimstad LLP (class counsel — Tyler J. Bean) Federman & Sherwood (investigating) Console & Associates, P.C. (investigating) Pittman Dutton Hellums Bradley & Mann (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Buffalo Surgery Center is an ambulatory surgery center in Amherst, New York operating as an affiliate of Excelsior Orthopaedics, LLP. Excelsior is a western New York orthopaedic group with 10 locations that serves more than 400,000 patient visits and provides shared administrative and IT infrastructure to its affiliated entities, including Buffalo Surgery Center and Northtowns Orthopaedics in Buffalo. Patient demographic, clinical, insurance, and identity data for roughly 64,000 surgery-center patients sat on Excelsior’s shared network.

Per the Maine Attorney General filing, an unauthorized third party gained access to Excelsior’s network systems beginning June 18, 2024, with access continuing through June 27, 2024. Excelsior detected unusual activity on June 23, 2024, disconnected external network access, and engaged outside forensic counsel. The Monti ransomware group claimed responsibility and added Excelsior to its Tor-based data leak site. A forensic review of the full scope of compromised information was completed July 30, 2025, after which the investigation confirmed data belonging to current and former patients and employees of Excelsior and its affiliated entities. Buffalo Surgery Center filed its own HIPAA breach notification with HHS OCR on January 4, 2025, reporting the incident as a Hacking/IT Incident at a Network Server affecting 64,000 individuals. Excelsior Orthopaedics filed a separate notice with the Maine AG on January 7, 2025, reporting a total of 394,752 individuals affected, including 24 Maine residents.

Timeline

  • June 18-27, 2024 — Per the Maine AG filing, the unauthorized intrusion window on Excelsior’s network ran from June 18 through June 27, 2024.
  • June 23, 2024 — Excelsior Orthopaedics detects unusual activity. External network access is disconnected and outside forensic counsel is engaged.
  • Early July 2024 — Monti ransomware group adds Excelsior to its Tor leak site and claims responsibility.
  • August 2024 through August 26, 2025 — Multiple waves of patient notification letters mailed. The first wave went out in August 2024; additional waves followed through mid-2025 as the scope of the investigation expanded.
  • December 2024 — Multiple putative class actions filed in the Supreme Court of the State of New York, County of Erie. Later consolidated as Szucs et al. v. Excelsior Orthopaedics, LLP et al., Index No. 812753/2024.
  • December 31, 2024 — Second major wave of notification letters mailed after the scope of compromised information was expanded to include additional Buffalo Surgery Center patient records.
  • January 4, 2025 — Buffalo Surgery Center files Hacking/IT Incident report with HHS OCR reporting 64,000 affected individuals on a Network Server.
  • January 7, 2025 — Excelsior Orthopaedics files notice with the Maine Attorney General reporting 394,752 total affected individuals (24 Maine residents). Wilson Elser LLP filed on Excelsior’s behalf; 12 months of CyberScout (TransUnion) credit monitoring offered.
  • July 30, 2025 — Excelsior’s forensic review of the full scope of compromised data completed.
  • March 20, 2026 — $2.4 million class settlement announced; preliminary approval granted.
  • May 17, 2026 — Deadline for class members to object or exclude themselves.
  • June 11, 2026 — Claims submission deadline.
  • July 8, 2026 — Final fairness hearing scheduled at 10:00 a.m. before Hon. Catherine Nugent Panepinto, Erie County Court Building, 25 Delaware Ave, Buffalo, NY 14202.

The notification cadence is unusual: Excelsior sent letters in August 2024, then sent a second round on December 31, 2024 after determining that additional Buffalo Surgery Center records were involved, with further waves continuing through August 2025. The class complaint flags the more than six-month gap between intrusion (June 23, 2024) and Buffalo Surgery Center’s own OCR filing (January 4, 2025) as outside what HIPAA’s 60-day rule contemplates.

What was exposed

Per the Excelsior and Buffalo Surgery Center notifications, the Maine AG filing, and the official settlement website, the dataset exposed includes:

  • Full name and demographic information (address, date of birth)
  • Social Security number
  • Driver’s license number
  • State identification number
  • Passport number
  • Biometric information
  • Medical information (diagnoses, treatment details, medical record numbers)
  • Health insurance information (plan, member ID, group ID)
  • Financial information (banking or payment fields for a subset of records)

The settlement website — which reflects the court-approved notice language — is the most complete public list of PHI categories. Passport numbers and biometric information were not mentioned in early press reports but appear in the official settlement administrator’s disclosure. Individual letters specify which exact fields applied to each person; if your letter is unavailable, the settlement call center (1-877-327-7791) can advise.

Because Monti publicly posted exfiltrated data on its Tor leak site, the working assumption should be that this information is in active circulation on criminal marketplaces. The harm shape is full-profile identity fraud and medical identity theft, not just targeted phishing.

What Buffalo Surgery Center and Excelsior are offering

Excelsior Orthopaedics offered affected individuals 12 months of complimentary credit monitoring and identity theft restoration services through CyberScout, a TransUnion company, via the original notification letters. This offer was confirmed in the Maine AG filing.

The $2.4 million class settlement layers additional benefits on top for class members:

  • Two years of three-bureau credit monitoring automatically provided to all class members. No claim is required; an activation code is sent in the settlement notice and can be activated at ExcelsiorDataSettlement.com after final settlement approval.
  • Up to $5,000 in documented, unreimbursed out-of-pocket losses per class member (bank fees, communication charges, credit expenses, travel costs, up to 5 hours of lost time at $20/hour).
  • An alternative pro-rata cash payment for class members who do not file documented-loss claims, based on remaining settlement funds after deductions.

Class members must have acted by June 11, 2026 to submit a claim, or by May 17, 2026 to object or exclude themselves. The final fairness hearing is scheduled for July 8, 2026. Details are at ExcelsiorDataSettlement.com or by calling the settlement call center at 1-877-327-7791. No settlement benefits will be distributed until after the court grants final approval.

Class action and regulatory posture

Multiple putative class actions filed in late 2024 were consolidated as Szucs et al. v. Excelsior Orthopaedics, LLP et al., Index No. 812753/2024, in the Supreme Court of the State of New York, County of Erie, before Hon. Catherine Nugent Panepinto. The consolidated complaint asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of New York’s Deceptive Acts and Practices Act (GBL section 349). Nine named class representatives — Susan Szucs, Anthony Parrizzi, Terrence Ernest Gidney, Christina Church, Jimmie Hardaway Jr., Sharon Siegle, Paul Pascucci, James Marciszewski, and Shannon Allgrim — are each eligible for service awards of up to $2,500.

The court appointed Andrew W. Ferich of Ahdoot & Wolfson, PC, Arturo Peña of Sterlington PLLC, and Tyler J. Bean of Siri & Glimstad LLP as Class Counsel. Defendants are represented by Wilson Elser LLP (David M. Ross and Brian H. Myers). Defendants denied all claims; the settlement contains no admission of liability.

The settlement fund breakdown: attorneys’ fees up to one-third of the $2.4 million fund (approximately $800,000), service awards up to $2,500 per class representative, settlement administration costs, and remaining funds distributed to approved claimants.

Additional firms that publicly investigated the matter before consolidation include Federman & Sherwood, Console & Associates, P.C., and Pittman Dutton Hellums Bradley & Mann.

On the federal side, Buffalo Surgery Center’s January 4, 2025 filing remains listed on the HHS Office for Civil Rights breach portal. No public OCR enforcement resolution has been announced. No New York Attorney General enforcement action specific to this incident has been publicly announced as of this writing.

What to do if you may be affected

This week:

  1. Activate your credit monitoring code. Class members receive two years of three-bureau credit monitoring automatically; the activation code appears in your settlement notice. Activate it at ExcelsiorDataSettlement.com or call 1-877-327-7791. Activation is only possible after the court grants final settlement approval (hearing: July 8, 2026). If you received an original Excelsior notification letter in 2024 or early 2025, that letter also contained a separate 12-month CyberScout/TransUnion monitoring code.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage protection against new-account fraud and is independent of any monitoring you enroll in. It is free, takes about ten minutes per bureau, and can be temporarily lifted any time.
  3. File IRS Form 14039 (Identity Theft Affidavit). Your Social Security number is among the data Monti posted publicly, so block a fraudulent tax return being filed under your SSN.
  4. If a passport number was in your file, contact the U.S. State Department (travel.state.gov) to flag potential misuse. Passport numbers alone are not sufficient to obtain a new passport but can facilitate identity-related fraud in combination with other exposed data.

This month:

  1. Review your Explanation of Benefits statements from your insurer for surgical or orthopaedic services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
  2. If the June 11, 2026 claim deadline has passed and you have not yet filed, contact Class Counsel (Ahdoot & Wolfson at 1-877-327-7791) to determine whether a late claim may be considered. The final fairness hearing is July 8, 2026 and no benefits will be paid until after the court grants final approval.
  3. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the orthopaedic, surgical, and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.