2025 Losses to Cybercrime Exceeded $20 Billion

Posted by Steve Alder

In 2025, another unwanted record was set for losses to cybercrime, with almost $21 billion in reported losses, beating the previous record of $16.6 in losses set in 2024 by 26%, according to the Federal Bureau of Investigation (FBI) Internet Crime Report 2025. The report was compiled based on complaints filed with the FBI’s Internet Crime Complaint Center (IC3), which topped 1 million for the first time, increasing from 859,000 complaints in 2024. This is the 25th year that the FBI has released its annual report, which started with a few thousand complaints filed per month to an average of almost 3,000 complaints per day in 2025.

The increase in losses was largely driven by an increase in losses to investment fraud ($8,648,617,756), which was the largest cause of losses in 2025, followed by business email compromise – BEC – ($3,046,598,558) and tech support scams ($2,134,675,818).

Source: FBI Internet Crime Complaint Report 2025

In terms of complaint volume, phishing topped the list (191,561 complaints), followed by extortion (89,129 complaints), investment fraud (72,984 complaints), and personal data breaches (67,456), with non-payment/non-delivery rounding out the top 5 (56,478 complaints). Cyber-enabled fraud was present in 453,000 complaints, accounting for $17.7 billion in total losses. In 2025, 181,565 complaints related to cryptocurrency, and 22,364 related to AI-related incidents, with the latter involving $893 million in losses.

IC3 received 3,611 complaints related to ransomware, resulting in more than $32 million in losses. Those losses do not include losses due to business disruptions, equipment, or third-party remediation costs. Ransomware attacks were among the top cyber threats reported by critical infrastructure entities. The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. Across all 16 critical infrastructure sectors, the healthcare and public health sector experienced the highest number of cyber threats, including 182 data breaches and 460 ransomware attacks, ahead of critical manufacturing, financial services, information technology, and the government.

The FBI said it has upgraded its efforts to prevent cybercrime, including blocking attacks, notifying victims, and freezing stolen funds. In January, the FBI launched its Operation Winter Shield, which explained some of the most important steps that businesses can take to improve their defenses against cyber threats and block cyberattacks. The FBI also launched Operation Level Up, a proactive approach to identify and alert victims of cryptocurrency investment fraud. The FBI reports that out of the 3,780 victims the agency notified last year, 78% were unaware that they were being scammed. Last year, the FBI also initiated approximately 3,900 Financial Fraud Kill Chain (FFKC) interventions, and was able to block a significant number of fraudulent transactions, freezing more than $679 million in fraudulent transfers, achieving a 58% success rate, and a 65% success rate for its FFKC Actions in healthcare.

The post 2025 Losses to Cybercrime Exceeded $20 Billion appeared first on The HIPAA Journal.

OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M

Posted by Steve Alder

A $1,450,000 settlement has been agreed upon to resolve a class action lawsuit against the New York orthopedic medicine and surgery practice OrthopedicsNY. The class action complaint was filed in response to a December 2023 ransomware attack and data breach that exposed the personal and electronic protected health information of 656,086 patients.

OrthopedicsNY, which operates almost 20 clinics in the Capital Region in New York State, was attacked by the INC Ransom threat group on or around December 28, 2023. Prior to encrypting files, INC Ransom exfiltrated sensitive patient data, including names, contact information, financial information, protected health information, Social Security numbers, passport numbers, and driver’s license numbers. The affected individuals were notified on November 4, 2024.

Several class action lawsuits were filed in response to the data breach, which were consolidated in a single action – Michael Sayers, et al. v. OrthopedicsNY, LLP – in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida. The plaintiffs alleged that the defendant promised to protect their sensitive personal and health information but failed to do so, resulting in a ransomware attack and the theft of their data. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.

OrthopedicsNY agreed to a settlement to avoid the cost and time of protracted litigation and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and that accepting the settlement is in the best interests of class members. Under the terms of the settlement, OrthopedicsNY has agreed to establish a $1,450,000 settlement fund to cover attorneys’ fees and expenses, notification and administration costs, and service awards for the 12 named class representatives. After covering those costs, the remainder of the settlement fund will be used to pay for benefits to the class members.

Class members may claim one of two cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or they may claim an alternative cash payment, which is anticipated to be $50 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection, opting out, and submitting a claim is June 15, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 30, 2026.

In addition to the class action settlement, OrthopedicsNY previously settled an investigation by the New York Attorney General and paid a $500,000 financial penalty. The New York Attorney General determined that OrthopedicsNY failed to implement reasonable and appropriate cybersecurity measures to secure patient data, in violation of federal and state laws. In addition to the financial penalty, OrthopedicsNY agreed to implement and maintain a comprehensive information security program and several cybersecurity measures to bolster security and offer the affected individuals one year of complimentary credit monitoring services.

The post OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M appeared first on The HIPAA Journal.

Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group

Posted by Steve Alder

Patient data has potentially been compromised in data incidents at Southern Illinois Dermatology and Heart South Cardiovascular Group in Alabama.

Southern Illinois Dermatology, Illinois

Southern Illinois Dermatology has notified an unspecified number of individuals about a data security incident it identified on November 28, 2025. An investigation was immediately launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts. The investigation confirmed unauthorized access to parts of its network where patient data was stored, and potentially, files were copied from its network. The affected data was reviewed and found to contain personal information and protected health information, including full names, addresses, dates of birth, Social Security numbers, telephone numbers, email addresses, person numbers, and medical record numbers. The types of data involved vary from individual to individual. Notification letters started to be mailed to the affected individuals on April 2, 2026.

Southern Illinois Dermatology has taken measures to augment cybersecurity and continually evaluates and modifies its security practices. While the threat group behind the attack was not disclosed, the Insomnia threat group took responsibility for the incident and claimed to have obtained the data of more than 150,000 patients. Samples of the stolen data were uploaded to its data leak site as proof, and the group proceeded to leak the data allegedly stolen in the attack.

Heart South Cardiovascular Group

Heart South Cardiovascular Group, a provider of cardiac testing and preventive treatment at centers in Alabama, has notified the Maine Attorney General about a data breach affecting up to 46,666 individuals, including 3 Maine residents. The incident was detected on November 11, 2025, when an unauthorized third party claimed to have obtained sensitive data from Heart South. An investigation was launched to determine the legitimacy of the claim, and while no evidence was found to indicate an intrusion or data exfiltration, Heart South confirmed that the threat actor had posted a limited amount of Heart South data online.

A review was conducted to determine all potentially affected individuals, which was completed on February 12, 2026. As a precaution, Heart South sent notification letters to all individuals whose data was stored on the parts of its network where the posted data was stored, and the potentially affected individuals have been offered complimentary credit monitoring and identity theft protection services. The Rhysida threat group claimed responsibility for the incident.

The post Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group appeared first on The HIPAA Journal.