About

NJ Law Firm Cyberattack Exposes 12,801 Hospital Patients' Data

Published
Score
18

Why it matters

Greenbaum Rowe Smith & Davis LLP, a New Jersey law firm, discovered a cyberattack in November 2025 that exposed protected health information for 12,801 patients across three major hospital systems: Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center. A compromised user account gave unauthorized third parties access to names, addresses, medical record numbers, medical histories, insurance details, and in some cases Social Security numbers and dates of birth. The breach window was narrow—November 25–27, 2025—but the firm did not detect the intrusion until November 27.

The firm immediately reset passwords and replaced compromised machines. A cybersecurity investigation concluded April 15, 2026, confirming the scope of the breach. No evidence has emerged that the stolen data was published or misused. Affected patients are receiving notification letters and two years of complimentary identity theft protection services through IDX, with a dedicated call center operating through September 29, 2026.

The breach notification was officially published May 18, 2026, by the HHS Office for Civil Rights, triggering mandatory federal reporting under HIPAA for breaches affecting 500 or more individuals. Recent media coverage in early July brought the incident to public attention months after notification began. The case highlights a critical vulnerability in healthcare data security: patient information held by external business associates like law firms can expose hospital systems to breach liability. Greenbaum Rowe has since implemented additional monitoring and detection tools, but the incident underscores the need for healthcare providers to audit cybersecurity practices at all vendors handling protected health information.

Sources

mail Subscribe to Health Care email updates

Primary sources. No fluff. Straight to your inbox.

Also on LawSnap