Up to 1.8 Million Individuals Affected by NYC Health + Hospitals Data Breach
The HIPAA Journal reported on a data breach affecting patients of NYC Health + Hospitals Corporation in late March (see below), after the New York healthcare provider disclosed details of the breach. Hackers had access to its network for 11 weeks, with the investigation suggesting that initial access was gained via a security breach at one of its vendors. At the time of reporting, it was unclear how many individuals had been affected.
NYC Health + Hospitals is the largest public health system in the United States, and serves more than 1 million New Yorkers, mostly uninsured patients under state benefits programs such as Medicaid. The Department of Health and Human Services Office for Civil Rights (OCR) breach portal has been updated to show that the personal and protected health information of approximately 1.8 million current and former patients and employees was compromised in the incident, making this one of the largest healthcare data breaches to be announced so far this year.
The affected employees and patients have been offered complimentary credit monitoring and identity theft protection services for 24 months. Those services are being made available free of charge to any individual who was a workforce member for NYC Health + Hospitals or a patient of NYC Health + Hospitals at any point between 2020 and February 2, 2026.
March 25, 2026: NYC Health + Hospitals Discloses 11-week Network Compromise
On March 24, 2026, NYC Health + Hospitals Corporation announced that personally identifiable information (PII) and protected health information (PHI) were exposed in a data security incident. NYC Health + Hospitals identified suspicious activity within its computer network on February 2, 2026. Immediate action was taken to secure the affected systems, and an investigation was launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity specialists.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The investigation determined that an unauthorized third party first gained access to its network more than two months previously, on November 25, 2026, and retained access until February 11, 2026. The investigation into the incident is ongoing; however, NYC Health + Hospitals believes that initial access to its systems may have been gained in a security breach at one of its third-party vendors. The name of that vendor was not disclosed.
NYC Health + Hospitals determined that files were exfiltrated from its network, some of which contained PII and PHI. Over the past few weeks, NYC Health + Hospitals has been reviewing the impacted data to determine the types of information involved and the individuals affected by the incident. The delay in issuing notifications to the affected individuals was due to the time taken to review the affected data. There were no instructions from law enforcement to delay notifications.
Based on the results of the data review to date, the following types of data were compromised in the incident: names; medical information (medical record numbers, disability codes, diagnoses, medications, test results, images, treatment plans); health insurance information (plans/policies, insurance companies, member/group ID numbers, Medicaid-Medicare-government payor ID numbers), billing/claims information; biometric information (finerprints & palm prints); personal information (Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, online account credentials). The information involved varies from individual to individual.
NYC Health + Hospitals said several steps have been taken to bolster security to prevent similar incidents in the future. They include enhanced detection rules for cybersecurity tools, password resets for compromised accounts, additional detection and protective technologies, and updates to remote access management policies. Credit monitoring and identity theft protection services have been offered to the affected employees and patients for 24 months.
This is the second large data breach to be reported by NYC Health + Hospitals so far this year. An earlier incident occurred around the same time as this hacking incident, and while it exposed the data of NYC Health + Hospitals patients, the breach occurred at one of its Care Management Agency Partners, NADAP. NADAP provides care coordination services to patients who received services under NYC Health + Hospitals’ Lead Health Home.
The data breach exposed the protected health information of 5,086 individuals. The incident occurred on or around November 26, 2025, and was identified by NADAP on January 10, 2026. NYC Health + Hospitals was notified about the data breach on January 2, 2026. Data compromised in the incident included patients’ names, dates of birth, addresses, Medicaid numbers, Social Security numbers, and clinical information related to their home-based health care provided by NADAP.
