Greater Rochester Independent Practice Association Data Breach Exposes Social Security Numbers and Health Records

Healthcare data breach illustration
Breach Discovery: Not Publicly DisclosedBreach Notification: Not Publicly Disclosed

What Happened in the GRIPA Data Breach?

The GRIPA data breach traces back to a much larger cyberattack that hit organizations around the world. In May 2023, the Russian-speaking hacking group Cl0p exploited a previously unknown flaw in Progress Software’s MOVEit Transfer file transfer tool. Greater Rochester Independent Practice Association, known as GRIPA, used this software and became one of the many client organizations swept up in the attack.

Cl0p targeted an estimated 2,700 companies through this single vulnerability. As a result, the hackers exfiltrated sensitive data from numerous organizations before demanding ransom payments to prevent its release. When many victims, including GRIPA, did not meet these demands, Cl0p published stolen data on the dark web. This exposed the personal information of nearly 96 million people globally.

Following the breach, patients filed lawsuits alleging that GRIPA could have prevented the incident. These claims pointed to a failure to use industry-standard cybersecurity protections, such as monitoring for suspicious activity and auditing the platform’s security. Because so many organizations were affected by the same MOVEit vulnerability, the lawsuits were consolidated into a multidistrict litigation in the U.S. District Court for the District of Massachusetts.

GRIPA specifically faced four class action lawsuits related to the breach, beginning with Clarke, et al. v. Progress Software Corp., et al. The company filed a motion to dismiss the claims, which the court partially denied in December 2024. Rather than proceed through a lengthy trial, GRIPA entered mediation with plaintiffs in June 2025, which resulted in an agreement on settlement terms.

Who was affected?

The GRIPA data breach affected patients whose personal and health information was stored within systems connected to the MOVEit platform. Because GRIPA operates as an independent practice association, the exposed individuals likely include patients across its network of affiliated healthcare providers.

The exact number of GRIPA patients impacted by this breach has not been publicly disclosed. However, the broader MOVEit attack affected close to 96 million people worldwide, making it one of the largest data security incidents in recent years. Given the sensitive nature of the information involved, both adult patients and potentially minors receiving care through GRIPA-affiliated providers could be affected.

What Information Was Potentially Exposed?

According to the lawsuit, the data breach compromised a wide range of sensitive patient information. This data was not only accessed but also published by the attackers after ransom demands went unmet, increasing the risk to affected individuals.

  • Full names
  • Dates of birth
  • Social Security numbers
  • Health and treatment information
  • Health insurance information
  • Pharmacy prescription information
  • Prescriber information

This combination of data creates serious risks for affected individuals. For example, Social Security numbers paired with dates of birth give criminals nearly everything needed to open fraudulent credit accounts or file false tax returns. In addition, because financial and identity data rarely expires, this risk can persist for years after the breach.

Beyond financial fraud, the exposure of health and prescription information raises the possibility of medical identity theft. This occurs when someone uses stolen health data to fraudulently obtain medical services or prescription drugs under another person’s name. As a result, victims may find inaccurate information in their medical records, which can complicate future treatment and insurance claims.

What is the company doing?

After learning of the breach, GRIPA became part of the broader response coordinated across the MOVEit litigation. Although GRIPA has denied any wrongdoing, it chose to resolve the claims against it through settlement rather than continue litigation. This decision came after weighing the cost, length, and uncertainty of a trial.

As part of the response, GRIPA agreed to establish a $2,150,000 settlement fund to compensate class members. In addition, the company agreed to offer two years of complimentary credit monitoring and identity theft protection services to all class members who file a claim. These measures aim to help affected individuals detect and respond to any misuse of their information.

What Should Affected Individuals Do?

File a Claim Under the Settlement

Affected individuals should determine whether they qualify as class members under the GRIPA settlement. Those who experienced actual financial losses tied to the breach may submit a claim for reimbursement of up to $2,500 in ordinary losses, or up to $10,000 in extraordinary losses.

Alternatively, class members who prefer not to document specific losses can claim a one-time cash payment, estimated at around $100. Because the deadline to file a claim is September 3, 2026, affected individuals should act promptly to gather any supporting documentation and submit their claims before the window closes.

Monitor Your Credit Reports Closely

Given that Social Security numbers were exposed, affected individuals should monitor their credit reports regularly for signs of fraud. This means checking for unfamiliar accounts, unexpected credit inquiries, or changes to personal information on file.

Consumers can request free credit reports from each of the three major credit bureaus. By reviewing these reports on a rotating basis throughout the year, individuals can catch suspicious activity earlier and limit the damage caused by identity theft.

Consider a Fraud Alert or Credit Freeze

Because financial and identity information was exposed in this breach, placing a fraud alert or credit freeze can provide meaningful protection. A fraud alert requires creditors to verify your identity before opening new accounts in your name.

A credit freeze goes a step further by restricting access to your credit file entirely, making it much harder for identity thieves to open new accounts. Individuals worried about long-term exposure of their Social Security numbers should strongly consider this option, especially since these numbers cannot be changed like a password.

Watch for Medical Identity Theft

Since health and prescription information was compromised, affected individuals should watch closely for signs of medical identity theft. This can include unexpected medical bills, unfamiliar entries in insurance statements, or notices about services never received.

Reviewing an Explanation of Benefits statement from your health insurer is a practical way to catch this type of fraud early. If anything looks unfamiliar, contact your insurance provider immediately to dispute the charges and correct your medical records.

Enroll in the Offered Credit Monitoring Services

Individuals affected by this breach should take advantage of the two years of complimentary credit monitoring and identity theft protection offered through the settlement. This service can alert you to new account openings or suspicious credit activity in real time.

Enrolling is a simple step that adds an extra layer of protection at no cost. Given the sensitivity of the exposed data, affected individuals should not delay signing up once their claim has been processed.



Related Data Breaches