Senator Bill Cassidy has given the largest public health system in the US until June 18 to explain what security controls were in place before the breach and what has changed since.

 

What happened

Senate Health, Education, Labor, and Pensions Committee Chairman Senator Bill Cassidy, M.D. (R-LA), sent a letter on June 4, 2026, to NYC Health + Hospitals Chief Executive Officer Mitchell Katz, M.D., and New York City Mayor Zohran Mamdani, seeking detailed answers about the 1.8 million-record data breach the health system disclosed in March 2026. According to Fierce Healthcare, the letter asks the health system to explain its cybersecurity protocols before the incident, how it has incorporated best practices from other critical infrastructure sectors, exactly when it became aware of the intrusion, which federal agencies were notified and when, and what remedial steps have been taken since. Senator Cassidy is requesting a response by June 18, 2026. The breach involved unauthorized access from approximately November 25, 2025, through February 11, 2026, with suspicious activity detected on February 2, 2026. Compromised data includes names, Social Security numbers, medical records, health insurance information, billing and claims data, precise geolocation data, and biometric information, including fingerprints and palm prints.

 

Going deeper

The letter puts specific pressure on the vendor access question. The investigation has suggested that initial access was gained through a third-party vendor. Senator Cassidy is asking for details about the steps taken to identify what additional information may have been accessed and how the health system is communicating proactively with potentially impacted individuals and entities, including asking what additional reporting commitments NYC Health + Hospitals will make beyond HIPAA's minimum requirements.

 

What was said

Senator Cassidy stated in his June 4 letter that "the recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the United States, highlights the risk cybersecurity incidents pose to patient safety and public trust in our healthcare system," and that "at a time when hostile actors are increasingly using sophisticated tactics by leveraging artificial intelligence, the health care sector needs to take meaningful steps to safeguard patient and consumer information." NYC Health + Hospitals has not yet responded publicly to the letter.

 

In the know

Senator Cassidy has established a pattern of sending formal inquiry letters to healthcare organizations following major breaches. According to Fierce Healthcare, Cassidy sent similar letters to Aflac following its 2025 breach affecting approximately 14 million individuals and to UnitedHealth Group following the Change Healthcare cyberattack in 2024. Cassidy also co-introduced the Health Care Cybersecurity and Resiliency Act alongside Senators Maggie Hassan, Mark Warner, and John Cornyn, which the HELP Committee advanced this spring. The bill would strengthen cybersecurity requirements across the healthcare sector and improve resilience against cyberattacks, though it has not yet been enacted into law.

 

The big picture

A Senate committee chair formally demanding answers about a healthcare breach introduces accountability pressure that OCR enforcement alone does not always generate quickly. Congressional inquiries move on political timelines, generate public records, and can drive legislative action in ways that regulatory investigations typically cannot. For NYC Health + Hospitals, the June 18 deadline arrives while the organization is still managing the aftermath of a breach affecting 1.8 million individuals, the largest public health system in the country, serving predominantly Medicaid-insured patients who cannot easily switch providers. The vendor access question at the center of both the breach and Senator Cassidy's inquiry connects directly to the legislative push the senator has championed, the Health Care Cybersecurity and Resiliency Act, which would require more prescriptive vendor security standards across healthcare, which the NYC Health + Hospitals breach proves are currently insufficient. According to the Verizon 2026 Data Breach Investigations Report, third-party breaches in healthcare rose 60% year over year, making vendor oversight the single fastest-growing category of healthcare breach exposure.

 

FAQs

What authority does the Senate HELP Committee have to demand answers from a health system?

The HELP Committee oversees federal health policy, including HIPAA and healthcare cybersecurity legislation. Committee chairs can send formal inquiry letters requesting information and responses, which carry huge political weight even without subpoena authority. Organizations that do not respond face reputational and legislative consequences, and the letters create a public record that can inform legislation and regulatory guidance.

 

Why was the letter also addressed to New York City's mayor?

NYC Health + Hospitals is a public health system governed by New York City. The mayor holds executive oversight responsibility for the system, making Mamdani an appropriate recipient alongside the system's CEO when federal legislators seek accountability for a breach at a publicly operated institution.

 

What does the Health Care Cybersecurity and Resiliency Act propose?

The bill would require healthcare organizations to meet more specific cybersecurity standards, improve coordination between HHS and CISA on healthcare cyber threats, and strengthen vendor security requirements directly addressing the vendor access vulnerability that appears to have enabled the NYC Health + Hospitals breach. It has passed through the HELP Committee but has not yet been enacted.

 

Why does Senator Cassidy's letter ask about federal agency notifications?

HIPAA requires notification to HHS OCR within 60 days of discovering a breach affecting 500 or more individuals, but other federal agencies, including CISA and the FBI, have separate incident reporting channels. Asking when and which agencies were notified helps establish whether NYC Health + Hospitals followed all applicable federal reporting requirements and whether the response was coordinated across relevant agencies.

 

What additional reporting beyond HIPAA is the Senator asking about?

HIPAA sets minimum notification standards to affected individuals, HHS, and, in some cases, the media. Senator Cassidy is asking what voluntary or supplementary communications the health system will commit to, such as ongoing updates to affected individuals, public reporting on remediation progress, or proactive outreach to partner organizations whose data may also have been exposed through the vendor compromise.