NYC Health + Hospitals Corporation disclosed on March 24, 2026, that personally identifiable information (PII) and protected health information (PHI) were exposed following unauthorized access to its network that persisted from November 25, 2025, through February 11, 2026.
Incident Identification and Timeline
NYC Health + Hospitals identified suspicious activity within its computer network on February 2, 2026. Immediate action was taken to secure affected systems. An investigation was started with assistance from third-party cybersecurity specialists.
The investigation determined that an unauthorized third party first gained access on November 25, 2025, and maintained access until February 11, 2026. The period of unauthorized access spanned more than two months.
Method Of Initial Access
NYC Health + Hospitals indicated that initial access to its systems may have originated from a security breach involving a third-party vendor. The organization did not disclose the identity of the vendor. No additional technical details regarding the access vector were provided.
Data Exfiltration and Information Impacted
NYC Health + Hospitals confirmed that files were exfiltrated from its network. Some of those files contained personally identifiable information (PII) and protected health information (PHI).
The organization reviewed the impacted data to determine the scope of information involved and to identify affected individuals. Based on the data review conducted to date, the compromised information varied by individual and may have included the following categories of sensitive data:
- Names
- Medical information such as medical record numbers and diagnoses
- Medication information and treatment plans
- Test results and medical images
- Medical insurance information such as plan details and ID numbers
- Billing and claims information
- Biometric information
- Social Security numbers and government-issued ID numbers
- Financial account information and payment card numbers
- Online account credentials
- Precise geolocation data
Notification Process and Delay
NYC Health + Hospitals stated that notifications to affected individuals were delayed because it tool longer to review the impacted data and determine the scope of exposure. There were no instructions from law enforcement to delay notification. However, the organization worked over recent weeks to analyze the affected data before issuing notices.
Mitigation Measures Implemented
NYC Health + Hospitals reported that several actions have been taken to strengthen security controls and HIPAA compliance following the incident:
- Detection rules for cybersecurity tools were enhanced.
- Passwords for compromised accounts were reset.
- Additional detection technologies were deployed.
- Protective technologies were implemented.
- Remote access management policies were updated.
These measures were implemented to address identified risks associated with the incident.
Support Services for Affected Individuals
NYC Health + Hospitals is offering credit monitoring and identity theft protection services for 24 months. These services are available to affected employees and patients.
Regulatory Reporting Status
The data breach has been reported to appropriate authorities. However, the incident is not yet published on the breach portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights at the time of reporting. The number of individuals affected has not been disclosed.
Image credit: momius, Adobestock / logo©NYCHealth+
