GrayRobinson Data Breach Exposes Sensitive PII and PHI for 65,113 Individuals

GrayRobinson, P.A., a full-service law and lobbying firm based in Orlando, Florida, disclosed a data breach that affected approximately 65,113 individuals in the United States, including 52 Maine residents and 86 Massachusetts residents

On or about March 24, 2025, GrayRobinson detected unauthorized access to its computer network. The unauthorized access resulted in what the firm described as the potential exposure of a limited amount of data it maintains.

Upon discovering the issue, GrayRobinson secured its network and launched an investigation with the help of external cybersecurity professionals experienced in handling these types of incidents.

The investigation determined that an unauthorized individual or individuals may have accessed or removed files from the firm's systems during a window that lasted nearly three weeks, from March 5, 2025, through March 24, 2025.

On April 13, 2026, GrayRobinson determined that the impacted files may have contained personal information belonging to affected individuals. The elements of personal information varied from person to person.

The types of personally identifiable information (PII) exposed included first and last name, date of birth, Social Security number, driver's license number, state or government ID and financial account information.

The breach also involved protected health information (PHI), including medical information and health insurance information.

GrayRobinson began sending written notifications to affected individuals on April 24, 2026. The breach was additionally reported to the California Attorney General, with the firm posting a notice on its website.

GrayRobinson's response to the breach

The firm is offering affected individuals complimentary credit monitoring and identity protection services through Experian IdentityWorks. The membership includes a credit report at signup, daily credit monitoring across all three major bureaus identity restoration support and $1 million in identity theft insurance coverage.

Affected individuals can enroll in the credit monitoring service by visiting the Experian IdentityWorks website and entering the activation code provided in their notification letter. Those who need help with enrollment or identity restoration can contact Experian's customer care team at 855-944-2743, available Monday through Friday from 8 a.m. to 8 p.m. Central Time.

Affected individuals can reach a dedicated and confidential call center at 844-403-4596, available Monday through Friday from 9 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays. The response line will be available for 90 days from the date of the letter.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze on credit files by contacting any one of the three major credit bureaus: Equifax (1-888-378-4329), Experian (1-888-397-3742) or TransUnion (1-800-680-7289).
• Request free credit reports at AnnualCreditReport.com and review them carefully for unfamiliar accounts or unauthorized inquiries.
• Review financial account statements regularly for any suspicious or unauthorized transactions, since financial account information was among the data potentially exposed.
• Monitor Explanation of Benefits statements from health insurers for services not received, as medical and health insurance information may have been accessed during this breach.
• Be cautious of phishing attempts that reference GrayRobinson or this data breach by name, as scammers may try to use the incident to trick people into sharing more personal information.
• Report suspected identity theft to the Federal Trade Commission at ftc.gov/idtheft or by calling 1-877-438-4338, and file a police report if there is any evidence of fraud.