Greater Rochester Independent Practice Association, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Greater Rochester Independent Practice Association Inc. (GRIPA) experienced a significant data breach due to a vulnerability in the MOVEit file transfer software. This incident, which came to light on May 31, 2023, allowed unauthorized access to sensitive consumer information, including names, protected health information (PHI), and Social Security numbers. The breach affected nearly 280,000 individuals[3].

GRIPA, a healthcare provider based in Rochester, New York, comprises over 1,300 physicians and their affiliate hospitals. It provides care coordination services to healthcare providers and health insurance plans, necessitating the handling of patient information to perform these services[3].

The breach was part of a global exploit of the MOVEit software, used by thousands of organizations, including GRIPA. An investigation concluded that the files taken from the MOVEit server contained patients’ personal information. The exposed information varies by individual but may include patients’ names, Social Security numbers, birth dates, doctor names, dates of last visit, and prescription information[13].

In response to the breach, GRIPA began sending out data breach notification letters to all affected individuals on October 26, 2023, advising them of the incident and the steps they can take to protect themselves from potential fraud or identity theft[3]. GRIPA has also reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights[3].

The breach has raised concerns among affected individuals, many of whom were unaware that GRIPA had access to their information. This is because GRIPA coordinates healthcare services for doctors and hospitals throughout the area, meaning that even those who have not directly done business with GRIPA may have had their information compromised[5][11].

Legal actions are being considered in light of the breach. Attorneys are investigating whether a class action lawsuit can be filed, which could provide affected consumers with compensation for any harm resulting from the breach and potentially force GRIPA to take steps to better protect the information it handles[13].

Affected individuals are advised to remain vigilant, monitor their financial and healthcare accounts for signs of fraud or identity theft, and consider taking steps such as signing up for credit monitoring services offered by GRIPA through IDX and placing fraud alerts or freezes on their credit reports[5].

Citations:

  1. https://gripa.org/notice-of-data-security-incident
  2. https://www.politico.com/newsletters/playbook/2024/02/09/a-day-biden-world-wishes-it-could-forget-00140647
  3. https://www.jdsupra.com/legalnews/gripa-files-notice-of-recent-moveit-4900833/
  4. https://dhr.ny.gov/complaint
  5. https://www.whec.com/consumer-alerts/consumer-alert-a-huge-data-breach-is-affecting-patients-across-the-rochester-area-heres-what-you-need-to-do/
  6. https://www.jointcommission.org
  7. https://www.thelyonfirm.com/blog/gripa-data-breach-investigation/
  8. https://atriaseniorliving.com
  9. https://apps.web.maine.gov/online/aeviewer/ME/40/f3d96627-e954-4f71-b465-2a4a88b00482.shtml
  10. https://theconversation.com/us
  11. https://www.whec.com/consumer-alerts/consumer-alert-gripa-data-breach-letter-your-questions-answered/
  12. https://www.businesswire.com
  13. https://www.classaction.org/data-breach-lawsuits/greater-rochester-independent-practice-association-inc-october-2023
  14. https://www.americanyawp.com/text/20-the-progressive-era/
  15. https://nydailyrecord.com/2023/11/17/familys-medical-records-compromisedmised/
  16. https://www.multiplan.us
Breach Submission Date Oct 26, 2023
Converted Entity Name Greater Rochester Independent Practice Association, Inc.
Converted Entity Type Healthcare Provider
State NY
Individuals Affected 279,156
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes