Active breach tracker Coral Gables, Florida Disclosed July 3, 2025

Zumpano Patricios Data Breach 2025: 279,275 Patients of Provider Clients Exposed at FL Healthcare Law Firm (Business Associate)

Zumpano Patricios, P.A., a Coral Gables healthcare law firm and HIPAA business associate, detected an intrusion on May 6, 2025 and began notifying 279,275 patients of provider clients on July 3, 2025. Exposed data included names, SSNs, member IDs, health insurer info, dates of service, charges, payments, clinical coding and medical records.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 6, 2025

Zumpano Patricios detected a cyberattack on parts of its network; forced password resets, blocked external access, engaged third-party forensics, and notified law enforcement.

May 6, 2025

Attacker gained access

May 14, 2025

Firm disclosed the incident to its provider clients.

Jul 3, 2025

Firm posted substitute notice on zplaw.com and began notifying affected individuals; filed with HHS OCR and the New Hampshire Attorney General. IDX call center opened at 1-855-202-2485.

Jul 3, 2025

Disclosed publicly

Jul 10, 2025

Multiple plaintiff firms publicly announced investigations (Strauss Borrelli, Federman & Sherwood, Levi & Korsinsky, Schubert Jonckheer & Kolbe).

Jul 17, 2025

ZP Law filed notice with the Massachusetts Attorney General, reporting 5 Massachusetts residents affected.

Nov 3, 2025

U.S. District Judge Beth Bloom (S.D. Fla.) dismissed the case filed by named plaintiff William Manning for lack of Article III standing; Nelson Mullins defended ZP Law. Case closed.

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers (limited cases)

02

Health records

Don't expire and can't be reissued

Clinical coding information (limited cases) Medical records (limited cases)

03

Contact & insurance

Phishing + targeted scams

First and last names Dates of birth Provider names Member ID numbers Health insurer information Dates of service Amounts charged by providers and payment amounts received

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Federman & Sherwood Levi & Korsinsky, LLP Schubert Jonckheer & Kolbe Siri & Glimstad / SLFLA
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Zumpano Patricios, P.A. (ZP Law) is a Coral Gables, Florida healthcare law firm that represents hospital systems and physician groups in disputes with health insurance companies over payment for medical services. The firm receives patient information — typically on spreadsheets — from its provider clients as part of those payment disputes. That business model made it a HIPAA business associate holding the data of 279,275 patients across its client base.

On May 6, 2025, ZP Law detected a cyberattack on parts of its IT network. The firm immediately forced password resets, blocked external access, engaged third-party forensic investigators, and notified law enforcement. By May 14, 2025, the firm had notified its provider clients. Forensics confirmed that an unauthorized third party had accessed portions of the network where patient data was stored and may have copied files; the exact date the intrusion began was not determined.

ZP Law posted a substitute notice on zplaw.com on July 3, 2025 and filed the same day with HHS OCR and the New Hampshire Attorney General. A supplemental filing with the Massachusetts Attorney General followed on July 17, 2025, reporting 5 Massachusetts residents affected. No ransomware group has publicly claimed responsibility for the attack; no threat actor attribution is publicly confirmed as of this writing.

What was stolen

The forensic investigation confirmed the following data elements were affected, with the specific combination varying by individual:

  • First and last names
  • Social Security numbers (limited cases)
  • Dates of birth
  • Provider names
  • Member ID numbers
  • Health insurer information
  • Dates of service
  • Amounts charged by providers and payment amounts received
  • Clinical coding information (limited cases)
  • Medical records (limited cases)

Your notification letter specifies which subset applied to you. The combination of insurer ID, member ID, clinical codes, and provider charges is the type of dataset used for medical-identity fraud, fraudulent claim submission, and targeted phishing keyed to a real care episode.

What Zumpano Patricios is offering

ZP Law is offering 12 months of complimentary credit and dark-web monitoring through IDX, a $1 million identity-theft insurance reimbursement policy, and fully managed identity-theft recovery services. The dedicated IDX call center is 1-855-202-2485, available Monday through Friday, 9 a.m. to 9 p.m. EST (excluding major U.S. holidays). Enrollment instructions and the activation code appear in your individual notification letter.

Because ZP Law is a business associate, your notification letter may arrive from ZP Law directly or from your hospital, physician group, or health plan acting on ZP Law’s report. If you receive a letter from a provider referencing a “law firm vendor,” “outside counsel,” or an incident “first detected in May 2025,” that is this event.

Class actions

A proposed class action was filed in the U.S. District Court for the Southern District of Florida within days of notification. Named plaintiff William Manning alleged that the cybersecurity incident increased the risk of future misuse of his personal information. On November 3, 2025, Judge Beth Bloom dismissed the case and closed all proceedings at the pleading stage, before discovery, finding that allegations of increased risk did not meet the concrete-injury threshold required for Article III standing under federal law. ZP Law was defended by Nelson Mullins (lead attorneys Mark F. Raymond and Jennifer Winkler).

Multiple plaintiff firms had previously announced investigations: Strauss Borrelli PLLC, Federman & Sherwood, Levi & Korsinsky LLP, Schubert Jonckheer & Kolbe, and Siri & Glimstad / SLFLA. The underlying HHS OCR investigation is unaffected by the federal civil dismissal. No appeal or refiling has been publicly confirmed as of this page’s last update.

What to do

  1. Enroll in IDX credit monitoring if you have not done so. Call 1-855-202-2485 or use the activation code in your notification letter. The $1 million reimbursement policy and managed recovery services have value even if you see no immediate misuse.
  2. Freeze your credit at all three nationwide bureaus (Equifax, Experian, TransUnion) if SSN was in your exposure set. Freezes are free, reversible, and stop new-account fraud cold.
  3. Review explanation-of-benefits (EOB) statements from your insurer for services you did not receive. The exposed dataset, combining clinical codes, member IDs, and charge amounts, is structured for fraudulent claim submission, not just credit fraud.
  4. File IRS Form 14039 (Identity Theft Affidavit) if your SSN was confirmed exposed. This flags your account for enhanced scrutiny and can block fraudulent tax filings.
  5. Read your letter carefully. The notice distinguishes “limited cases” (SSN, clinical codes, medical records) from the broader group with billing-adjacent data only. Your specific exposure set determines your risk profile.
  6. Stop the ongoing flow of your healthcare billing data. HealthConsent files HIPAA restriction requests so the insurance-dispute and clinical data exposed in this breach is not continuously re-shared across provider networks and health information exchanges.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.