Key Takeaways
- A cyber‑attack on New Jersey law firm Greenbaum Rowe Smith & Davis exposed protected health information (PHI) of 12,801 individuals.
- The breach stemmed from a compromised user account discovered on November 27, 2025; the firm’s investigation concluded on April 15, 2026.
- Affected data included names, addresses, Social Security numbers, dates of birth, medical details, and health‑insurance information.
- The firm serves major health systems—Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center—so patients of all three may be impacted.
- Greenbaum is notifying affected individuals by mail, offering free identity‑theft protection, and operating a dedicated call center (1‑844‑685‑6447) with an online portal; enrollment ends September 29, 2026.
- Although no evidence shows the stolen data has been published or misused, the incident prompted the firm to strengthen its cybersecurity posture.
- Hackensack Meridian Health, the state’s largest provider, confirmed it is monitoring the situation and remains in close contact with Greenbaum, though the breach did not occur on its own networks.
- The breach is reportable under HIPAA because it affected more than 500 individuals; the U.S. Department of Health & Human Services Office for Civil Rights posted the notice on May 18, 2026.
- The incident underscores the vulnerability of third‑party service providers handling sensitive health data and the importance of robust access controls, timely incident response, and patient‑focused remediation.
- Ongoing vigilance, regular security audits, and employee training are essential to prevent similar compromises in the legal and healthcare sectors.
Background of the Incident
Greenbaum Rowe Smith & Davis, a New Jersey‑based law firm that provides legal counsel to several major healthcare providers, experienced a cyber attack that compromised its internal systems. The firm disclosed the breach in a notice issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights on May 18, 2026, triggering mandatory reporting under the Health Insurance Portability and Accountability Act (HIPAA) because the incident affected more than 500 individuals.
Discovery and Initial Response
Unauthorized access was first detected on November 27, 2025, when the firm identified activity originating from a compromised user account. Upon learning of the intrusion, Greenbaum promptly reset passwords, notified law‑enforcement authorities, and launched an internal investigation to ascertain the scope of the breach and determine which individuals’ data had been accessed.
Investigation Findings
The investigation, which concluded on April 15, 2026, confirmed that an unauthorized third party had acquired protected health information from the firm’s systems. The data accessed included patients’ names, residential addresses, Social Security numbers, dates of birth, medical information, and health‑insurance details. No evidence has emerged indicating that the stolen information has been published, sold, or otherwise misused to date.
Scale of the Breach
According to the HHS notice, the breach affected a total of 12,801 individuals. This figure places the incident well above the threshold for mandatory public disclosure and highlights the significant reach of the compromise, given the firm’s clientele includes several large health networks operating across New Jersey.
Impacted Healthcare Providers
Greenbaum provides legal services to prominent health systems such as Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center. Consequently, patients receiving care at any of these institutions may have had their personal and medical data exposed through the law firm’s compromised systems.
Notification and Patient Support
In line with regulatory requirements and its own commitment to transparency, Greenbaum is mailing breach notification letters directly to all affected individuals. To assist those impacted, the firm has arranged for complimentary identity‑theft protection services and established a dedicated call center reachable at 1‑844‑685‑6447. An online assistance portal is also available at https://response.idx.us/grsd/. Enrollment in these protective services must be completed by September 29, 2026.
Response from Healthcare Partners
A spokesperson for Hackensack Meridian Health, the state’s largest healthcare provider, expressed concern over the incident, emphasizing that while the breach did not occur on the provider’s own networks, the organization remains in close contact with Greenbaum to monitor developments and support affected patients. Similar sentiments have been echoed by representatives from Atlantic Health System and Trinitas Regional Medical Center.
Post‑Breach Security Enhancements
Following the investigation, Greenbaum announced that it has bolstered its cybersecurity defenses. Measures include strengthening account‑access controls, implementing multi‑factor authentication, conducting regular security audits, and enhancing employee training on phishing and social‑engineering threats. These steps aim to reduce the likelihood of future unauthorized access incidents.
Broader Implications for the Legal and Healthcare Sectors
The breach serves as a stark reminder of the risks associated with third‑third‑party vendors that handle sensitive health information. Law firms, billing agencies, and other service providers are increasingly targeted because they aggregate valuable data from multiple healthcare entities. The incident underscores the necessity for rigorous vendor risk management, continuous monitoring of privileged accounts, and rapid incident‑response capabilities across both legal and healthcare organizations.
Regulatory Context and Reporting Obligations
Under HIPAA’s Breach Notification Rule, covered entities and their business associates must report breaches of unsecured protected health information affecting 500 or more individuals to the Secretary of HHS, notify affected individuals without unreasonable delay, and, in cases involving more than 500 residents of a state or jurisdiction, provide notice to prominent media outlets. Greenbaum’s filing with HHS satisfies these obligations, and the public notice enables patients to take protective actions.
Conclusion and Ongoing Vigilance
While there is currently no indication that the exposed data has been exploited, the breach highlights the evolving threat landscape facing organizations entrusted with personal health information. Continued vigilance, investment in advanced security technologies, regular penetration testing, and a culture of security awareness remain critical to safeguarding patient privacy and maintaining trust in the healthcare ecosystem. Individuals are encouraged to monitor their credit reports, consider enrolling in the offered identity‑theft protection, and remain alert for any signs of fraudulent activity related to their personal information.

