NYC Health + Hospitals stated it discovered suspicious activity in parts of its computer network on February 2, 2026, then moved to secure the network, start an investigation, and bring in outside cybersecurity specialists.
What happened
The health system later determined that an unauthorized actor had access to certain systems from about November 25, 2025, through February 11, 2026, and copied files from those systems during that window. Officials said the review is still ongoing, but early findings suggest the intruder may have gotten in through a security breach involving a third-party vendor rather than through an issue disclosed publicly as originating inside NYC Health + Hospitals itself.
Based on the review so far, the exposed information may include medical record numbers, diagnoses, medications, test results, images, treatment plans, insurance details, billing and claims data, biometric information, and, for some people, highly sensitive personal data such as Social Security numbers, government ID numbers, financial account details, and online account credentials. NYC Health + Hospitals said it has reset compromised accounts, added detection and protective technologies, updated remote access policies, and offered 24 months of identity protection and credit monitoring to eligible patients and workforce members.
Going deeper
Healthcare breaches do more than expose data. A peer-reviewed JAMIA study found that 12.3% of US adults had withheld information from a healthcare provider because of security concerns and concluded that organizations must “secure patients’ PHI to avoid undermining their trust.” In other words, a breach does not end when the investigation starts.
It can follow patients into future appointments, especially when the exposed records include diagnoses, treatment details, insurance data, or other highly sensitive information. The wider trend is also moving in the wrong direction. A related March 2026 breach involving NYC Health + Hospitals’ care management partner, NADAP, showed how third-party incidents can also put patient data at risk, with records in a care coordination program exposed.
What was said
According to the notice of security incident, “Although the investigation is ongoing, it appears that the unauthorized actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor. This notification was not delayed as a result of a law enforcement investigation.”
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
What is a data breach?
A data breach happens when unauthorized people gain access to sensitive information. That information can include names, addresses, Social Security numbers, medical records, insurance details, financial data, or login credentials.
What kinds of information are usually exposed in a data breach?
Exposed information often depends on the organization involved. In healthcare breaches, it may include medical record numbers, diagnoses, treatment details, insurance information, billing data, and sometimes financial or government identification information.
How do data breaches usually happen?
Many breaches start with phishing emails, stolen credentials, ransomware attacks, software vulnerabilities, or third-party vendor incidents. Weak access controls and delayed detection can make the damage worse.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
