The firm immediately reset passwords and replaced compromised machines. A cybersecurity investigation concluded April 15, 2026, confirming the scope of the breach. No evidence has emerged that the stolen data was published or misused. Affected patients are receiving notification letters and two years of complimentary identity theft protection services through IDX, with a dedicated call center operating through September 29, 2026.
The breach notification was officially published May 18, 2026, by the HHS Office for Civil Rights, triggering mandatory federal reporting under HIPAA for breaches affecting 500 or more individuals. Recent media coverage in early July brought the incident to public attention months after notification began. The case highlights a critical vulnerability in healthcare data security: patient information held by external business associates like law firms can expose hospital systems to breach liability. Greenbaum Rowe has since implemented additional monitoring and detection tools, but the incident underscores the need for healthcare providers to audit cybersecurity practices at all vendors handling protected health information.