Senator Seeks Answers from NYC Health & Hospitals About 1.8M Record Breach
The Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Senator Bill Cassidy, M.D. (R-LA), is seeking answers from NYC Health + Hospitals about the steps that have been taken since its recent data breach to improve its security protocols to prevent further cybersecurity incidents and breaches of patient data.
NYC Health + Hospitals discovered suspicious activity within its computer systems on February 2, 2026, with its investigation determining that its systems were accessed by an unauthorized third party for almost three months before the intrusion was detected. The threat actor first accessed its system on February 25, 2026, and retained access until February 11, 2026. The investigation suggests access was gained via a third-party vendor. Data compromised in the incident included names, Social Security numbers, medical information, health insurance information, billing and claims information, payment information, and precise geolocation data. The data breach was reported to the HHS’ Office for Civil Rights as affecting 1.8 million individuals.
In the letter to NYC Health + Hospitals CEO Mitchell Katz and CC’d to NYC Mayor Zohran Mamdani, Sen. Cassidy pointed out that healthcare data breaches are being reported in high numbers. Currently, 772 large healthcare data breaches are listed on the OCR data breach portal, making 2025 a record year for healthcare data breaches. These incidents result in delayed care, and data theft puts patients at risk of identity theft and fraud. NYC Health + Hospitals is the largest public health system in the United States, providing care to 1 million patients a year, and its data breach has created a substantial risk to the population it serves.
Sen. Cassidy seeks answers on both the cybersecurity controls in place prior to the cybersecurity incident and the measures implemented post-incident to protect against further cyberattacks. Specifically, Sen. Cassidy wants answers about the cyber and physical security protocols in place to protect against cyberattacks, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated into its security policies and protocols, exactly when it became aware of an intrusion, when and which federal agencies were notified about the incident, and the remedial steps taken to improve security protocols.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sen Cassidy also wants more detail about the steps taken to identify any additional information that may have been accessed in the attack, how it is proactively communicating with potentially impacted individuals and entities, and what additional reporting it will commit to doing for the affected individuals, beyond the reporting requirements of HIPAA. Sen. Cassidy is seeking a response to the questions no later than June 18, 2026.
Sen. Cassidy is taking a keen interest in cybersecurity incidents at healthcare organizations. He sent a similar letter to Aflac following its massive data breach in 2025 – the second-largest healthcare data breach of the year, affecting almost 14 million individuals – and UnitedHealth Group following the Change Healthcare cyberattack in 2024.
Sen Cassidy, along with Sens. Maggie Hassan (D-NH), Mark Warner (D-VA), and John Cornyn (R-TX) reintroduced the Health Care Cybersecurity and Resiliency Act last year, which was advanced by the HELP committee this Spring, in an attempt to strengthen healthcare cybersecurity and improve resiliency against ever-increasing healthcare cyberattacks and data breaches.
