2025 Losses to Cybercrime Exceeded $20 Billion

Posted by Steve Alder

In 2025, another unwanted record was set for losses to cybercrime, with almost $21 billion in reported losses, beating the previous record of $16.6 in losses set in 2024 by 26%, according to the Federal Bureau of Investigation (FBI) Internet Crime Report 2025. The report was compiled based on complaints filed with the FBI’s Internet Crime Complaint Center (IC3), which topped 1 million for the first time, increasing from 859,000 complaints in 2024. This is the 25th year that the FBI has released its annual report, which started with a few thousand complaints filed per month to an average of almost 3,000 complaints per day in 2025.

The increase in losses was largely driven by an increase in losses to investment fraud ($8,648,617,756), which was the largest cause of losses in 2025, followed by business email compromise – BEC – ($3,046,598,558) and tech support scams ($2,134,675,818).

Source: FBI Internet Crime Complaint Report 2025

In terms of complaint volume, phishing topped the list (191,561 complaints), followed by extortion (89,129 complaints), investment fraud (72,984 complaints), and personal data breaches (67,456), with non-payment/non-delivery rounding out the top 5 (56,478 complaints). Cyber-enabled fraud was present in 453,000 complaints, accounting for $17.7 billion in total losses. In 2025, 181,565 complaints related to cryptocurrency, and 22,364 related to AI-related incidents, with the latter involving $893 million in losses.

IC3 received 3,611 complaints related to ransomware, resulting in more than $32 million in losses. Those losses do not include losses due to business disruptions, equipment, or third-party remediation costs. Ransomware attacks were among the top cyber threats reported by critical infrastructure entities. The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. Across all 16 critical infrastructure sectors, the healthcare and public health sector experienced the highest number of cyber threats, including 182 data breaches and 460 ransomware attacks, ahead of critical manufacturing, financial services, information technology, and the government.

The FBI said it has upgraded its efforts to prevent cybercrime, including blocking attacks, notifying victims, and freezing stolen funds. In January, the FBI launched its Operation Winter Shield, which explained some of the most important steps that businesses can take to improve their defenses against cyber threats and block cyberattacks. The FBI also launched Operation Level Up, a proactive approach to identify and alert victims of cryptocurrency investment fraud. The FBI reports that out of the 3,780 victims the agency notified last year, 78% were unaware that they were being scammed. Last year, the FBI also initiated approximately 3,900 Financial Fraud Kill Chain (FFKC) interventions, and was able to block a significant number of fraudulent transactions, freezing more than $679 million in fraudulent transfers, achieving a 58% success rate, and a 65% success rate for its FFKC Actions in healthcare.

The post 2025 Losses to Cybercrime Exceeded $20 Billion appeared first on The HIPAA Journal.

OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M

Posted by Steve Alder

A $1,450,000 settlement has been agreed upon to resolve a class action lawsuit against the New York orthopedic medicine and surgery practice OrthopedicsNY. The class action complaint was filed in response to a December 2023 ransomware attack and data breach that exposed the personal and electronic protected health information of 656,086 patients.

OrthopedicsNY, which operates almost 20 clinics in the Capital Region in New York State, was attacked by the INC Ransom threat group on or around December 28, 2023. Prior to encrypting files, INC Ransom exfiltrated sensitive patient data, including names, contact information, financial information, protected health information, Social Security numbers, passport numbers, and driver’s license numbers. The affected individuals were notified on November 4, 2024.

Several class action lawsuits were filed in response to the data breach, which were consolidated in a single action – Michael Sayers, et al. v. OrthopedicsNY, LLP – in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida. The plaintiffs alleged that the defendant promised to protect their sensitive personal and health information but failed to do so, resulting in a ransomware attack and the theft of their data. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.

OrthopedicsNY agreed to a settlement to avoid the cost and time of protracted litigation and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and that accepting the settlement is in the best interests of class members. Under the terms of the settlement, OrthopedicsNY has agreed to establish a $1,450,000 settlement fund to cover attorneys’ fees and expenses, notification and administration costs, and service awards for the 12 named class representatives. After covering those costs, the remainder of the settlement fund will be used to pay for benefits to the class members.

Class members may claim one of two cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or they may claim an alternative cash payment, which is anticipated to be $50 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection, opting out, and submitting a claim is June 15, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 30, 2026.

In addition to the class action settlement, OrthopedicsNY previously settled an investigation by the New York Attorney General and paid a $500,000 financial penalty. The New York Attorney General determined that OrthopedicsNY failed to implement reasonable and appropriate cybersecurity measures to secure patient data, in violation of federal and state laws. In addition to the financial penalty, OrthopedicsNY agreed to implement and maintain a comprehensive information security program and several cybersecurity measures to bolster security and offer the affected individuals one year of complimentary credit monitoring services.

The post OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M appeared first on The HIPAA Journal.