NYC Health + Hospitals Data Breach Affects Almost 2 Million Patients

The New York public health system, NYC Health + Hospitals, has started mailing notification letters to almost 2 million individuals about a breach of some of their personal and protected health information. NYC Health + Hospitals operates more than 70 care locations throughout New York City and serves around 1 million patients a year. The majority of its patients lack health insurance and are provided with healthcare services under programs such as Medicare and Medicaid.

NYC Health + Hospitals first announced the breach on March 24, 2026; however, at that time, the scale of the breach had yet to be determined. In its substitute breach notice, NYC Health + Hospitals explained that its network was likely compromised due to a security breach at a third-party vendor. The vendor was not named by NYC Health + Hospitals, so the exact nature of the business associate agreement is not known.

Vendors such as managed service providers are provided with privileged access to the systems of their HIPAA-covered entity clients. A breach at a vendor can allow a threat actor to attack multiple clients and gain access to huge volumes of highly sensitive data, which is why business associates are such attractive targets for cybercriminals.

NYC Health + Hospitals said it learned about the breach on February 2, 2026, when it identified anomalous activity within its computer systems. Immediate action was taken to secure its systems and contain the incident. The forensic investigation confirmed that some of its systems were subject to unauthorized access over a 3-month period between November 25, 2025, and February 11, 2026, which means access to at least some of its systems continued for 9 days after the suspicious activity was first identified.

Evidence was found of data exfiltration, and after reviewing the affected files, NYC Health + Hospitals determined that they contained a range of patient data. The types of information varied from individual to individual and included names, Social Security numbers, driver’s license numbers, other government-issued ID numbers, credit and debit card numbers, financial account information or credentials, online account credentials, billing information, claims and payment information, health insurance information, Medicare/Medicaid numbers, and health information such as medical record numbers, diagnoses, medications, test results, medical images, and treatment plans. In addition, precise geolocation data was compromised, as well as biometric information such as fingerprints and palm prints. The latter is particularly concerning as that information is permanently tied to an individual.

NYC Health + Hospitals said it has implemented additional cybersecurity measures, including enhanced detection and monitoring tools, and has updated its remote access management policies. The affected individuals, who include employees and patients, have been offered 24 months of complimentary credit monitoring and identity theft protection services. The HHS’ Office for Civil Rights was informed that the protected health information of 1,800,000 individuals was compromised in the incident, making it one of the largest healthcare data breaches to be reported so far this year.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

This is the second data breach to be announced by NYC Health + Hospitals this year, although the other incident only affected 5,086 patients. That breach was due to an incident at one of its care management agency partners – National Association on Drug Abuse Programs (NADAP) – that happened at around the same time as this incident started. The breach was identified by NADAP on January 10, 2026, with the unauthorized access commencing on November 26, 2025. NYC Health + Hospitals was notified about the data breach by NADAP on January 27, 2026. While the dates are similar, the two incidents were unrelated.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/