Florida Law Firm Data Breach Affects 65,000 Individuals
A cyberattack at the law firm GrayRobinson has affected 65,000 individuals. Data breaches have also been announced by C2N Diagnostics in Missouri and Virta Health in Colorado.
GrayRobinson
The Orlando, Florida-based law firm GrayRobinson, P.A., has notified the Maine Attorney General about a data breach affecting 65,113 individuals, including 52 Maine residents. Among those individuals, 54,131 people had their protected health information exposed in the incident. In its substitute data breach notice, GrayRobinson explained that unauthorized access to its network was detected on or around March 24, 2025. Immediate steps were taken to secure its network, and assisted by third-party cybersecurity specialists, the incident was investigated to determine the extent to which sensitive information had been compromised.
The investigation confirmed that its network was accessed by an unauthorized third party between March 5, 2025, and March 24, 2025, and during that time, files containing personal and protected health information were exfiltrated from its network. The data was reviewed, and on April 13, 2026, the file review concluded and determined that full names, dates of birth, Social Security numbers, driver’s license numbers, state and government ID numbers, financial account information, medical information, and health insurance information were involved.
GrayRobinson said it had taken many precautions to protect against unauthorized access to its systems and data, and continually evaluates and modifies its practices and internal controls to enhance security and ensure the privacy of sensitive information. Complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be sent to the affected individuals on April 24, 2026.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
C2N Diagnostics, Missouri
C2N Diagnostics, a St. Louis, MO-based specialty diagnostics company providing lab services and products related to brain health, has disclosed a cybersecurity incident that was identified on March 6, 2026. C2N Diagnostics said it was targeted by a cybercriminal actor who gained access to a small number of stored employee communications, some of which contained personal information.
The data was reviewed and found to include names, dates of birth, contact information, health information, blood test analysis results, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services for at least 12 months as a precaution against data misuse. At the time of issuing notification letters, C2N Diagnostics was unaware of any misuse of the exposed data. C2N Diagnostics reported the breach to the HHS’ Office for Civil Rights on April 27, 2026, as affecting 2,027 individuals.
Virta Health
Virta Health Corp & Virta Medical PC, a Denver, CO-based provider of digital health services to help individuals manage type 2 diabetes, prediabetes, and obesity, has identified unauthorized access to one of its data repositories. The unauthorized access was identified on March 24, 2026, and the investigation confirmed that it had been compromised between March 19, 2026, and March 22, 2026.
The data repository was separate from its current production platform and contained personal information, the details of which were not disclosed in its data breach notice. Virta Health said its investigation confirmed that data had been exposed, and “could not rule out the possibility that an unknown actor may have accessed [personal information].” The Lapsus$ threat group claimed responsibility for the attack and added Virta Health to its data leak site on March 23, 2026, one day prior to the breach being detected. It is unclear if the ransom was paid or how many individuals were affected by the incident.
