GrayRobinson and P.A.: GrayRobinson Data Breach Exposes Sensitive PII and PHI for 65,113 Individuals

GrayRobinson Law Firm Discloses Data Breach Affecting Over 65,000 Individuals

Orlando-based law and lobbying firm GrayRobinson, P.A. reported a data breach impacting 65,113 individuals across the U.S., including 52 Maine residents and 86 Massachusetts residents. The incident involved unauthorized access to the firm’s network, potentially exposing sensitive personal and health-related data.

The breach was detected on March 24, 2025, after an unauthorized party accessed GrayRobinson’s systems between March 5 and March 24, 2025. Following the discovery, the firm secured its network and engaged external cybersecurity experts to investigate. Nearly a year later, on April 13, 2026, the firm confirmed that compromised files contained personally identifiable information (PII) and protected health information (PHI).

Exposed data varied by individual but included:

• Names, dates of birth, and Social Security numbers
• Driver’s license, state ID, or government-issued identification numbers
• Financial account details
• Medical and health insurance information

GrayRobinson began notifying affected individuals via written letters on April 24, 2026, and reported the breach to the California Attorney General, posting a public notice on its website. As part of its response, the firm is offering complimentary credit monitoring and identity protection services through Experian IdentityWorks, including:

• Daily credit monitoring across all three major bureaus
• Identity restoration support
• $1 million in identity theft insurance

Affected individuals can enroll using an activation code provided in their notification letter or contact Experian’s customer care team at 855-944-2743 (Monday–Friday, 8 a.m.–8 p.m. CT). A dedicated call center (844-403-4596) is also available for 90 days from the notification date (Monday–Friday, 9 a.m.–6:30 p.m. ET).

Source: https://www.claimdepot.com/data-breach/grayrobinson-2026

GrayRobinson, P.A. cybersecurity rating report: https://www.rankiteo.com/company/grayrobinson-p-a-

"id": "GRA1777329899",
"linkid": "grayrobinson-p-a-",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '65113',
                        'industry': 'Legal',
                        'location': 'Orlando, Florida, USA',
                        'name': 'GrayRobinson, P.A.',
                        'type': 'Law Firm'}],
 'attack_vector': 'Unauthorized Network Access',
 'customer_advisories': 'Complimentary credit monitoring and identity '
                        'protection services through Experian IdentityWorks',
 'data_breach': {'number_of_records_exposed': '65113',
                 'personally_identifiable_information': ['Names',
                                                         'Dates of birth',
                                                         'Social Security '
                                                         'numbers',
                                                         'Driver’s license '
                                                         'numbers',
                                                         'State ID numbers',
                                                         'Government-issued '
                                                         'identification '
                                                         'numbers',
                                                         'Financial account '
                                                         'details',
                                                         'Medical information',
                                                         'Health insurance '
                                                         'information'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information (PII)',
                                              'Protected health information '
                                              '(PHI)']},
 'date_detected': '2025-03-24',
 'date_publicly_disclosed': '2026-04-24',
 'description': 'Orlando-based law and lobbying firm GrayRobinson, P.A. '
                'reported a data breach impacting 65,113 individuals across '
                'the U.S., including sensitive personal and health-related '
                'data. The breach involved unauthorized access to the firm’s '
                'network.',
 'impact': {'data_compromised': 'Personally identifiable information (PII) and '
                                'protected health information (PHI)',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'GrayRobinson’s network'},
 'investigation_status': 'Completed',
 'references': [{'source': 'GrayRobinson Public Notice'}],
 'regulatory_compliance': {'regulatory_notifications': ['California Attorney '
                                                        'General']},
 'response': {'communication_strategy': 'Written notifications to affected '
                                        'individuals, public notice on '
                                        'website, and reporting to California '
                                        'Attorney General',
              'containment_measures': 'Secured network',
              'incident_response_plan_activated': 'Yes',
              'remediation_measures': 'Investigation and data review',
              'third_party_assistance': 'External cybersecurity experts'},
 'title': 'GrayRobinson Law Firm Data Breach',
 'type': 'Data Breach'}