Cyber Incident Victim: Greater Rochester Independent Practice Association

On or around May 28, 2023, Greater Rochester Independent Practice Association, Inc. (GRIPA) experienced an external system breach. The incident, which was a hacking event, resulted in the unauthorized acquisition of personal information. The organization, a healthcare entity located at 100 Kings Highway S., Suite 2500, Rochester, New York, 14617, discovered the breach three days later on May 31, 2023. The specific technical details regarding the method of intrusion, the systems initially compromised, and the exact timeline of the attacker's actions within the network were not publicly disclosed in the available notification.

The information acquired during the security breach included the names of individuals in combination with their Social Security Numbers. This combination of personal identifiers is highly sensitive and significantly increases the risk of identity theft and financial fraud for the affected individuals. The total number of persons affected by this incident was 1,742. This figure included individuals from various locations, with the State of Maine reporting that six of its residents were among those impacted. The breach notification did not specify if the affected individuals were solely patients or if they included employees or other individuals associated with the practice association.

In response to the discovery of the incident, GRIPA engaged outside counsel to manage the breach response and notification process. The law firm of Clark Hill, PLC, with Melissa Ventrone acting as the member of the firm responsible for the submission, was designated to interface with regulatory bodies. The organization determined that formal written notification was the appropriate method for informing consumers whose data was compromised. The process of organizing and executing this notification took several months, with the letters to affected Maine residents being sent on October 5, 2023. A copy of this notice, titled "GRIPA ONLY Notice Letter (Adult)(273148299.1)_v3 (Static Proof r2).pdf," was provided to the Maine Attorney General's office as part of their data breach reporting requirements.

As a remedial measure to assist those impacted, GRIPA offered complimentary identity theft protection services to all affected persons. The organization contracted with IDX to provide these services, which included credit monitoring and identity restoration support. The offering was for a duration of twelve months, providing a means for individuals to monitor their credit reports for signs of fraudulent activity and to receive assistance in restoring their identities should any theft occur as a result of the data exposure. This offering is a common practice in the wake of breaches involving highly sensitive personal information as a way to mitigate potential future harm to consumers. The notification confirmed that there had been no previous breach notifications submitted by the entity within the twelve months prior to this incident. The complete scope of the organizational impact, including any operational disruptions or financial losses incurred by GRIPA itself as a result of the attack, was not detailed in the public breach notification. The focus of the available information remained on the consumer data compromise and the subsequent response actions taken to notify and protect the affected individuals.