NYC Health + Hospitals breached via vendor

NYC Health + Hospitals disclosed on March 24 that hackers accessed parts of its network for more than two months after what the system said appears to have been a security breach at a third-party vendor. The public hospital system said it detected suspicious activity on February 2, 2026, secured its network and brought in outside cybersecurity specialists to investigate. Its review found an unauthorized actor accessed certain systems between about November 25, 2025 and February 11, 2026 and copied files from them. (techcrunch.com) TechCrunch reported on May 18 that the breach affects at least 1.8 million people, citing the number the health system reported to the U.S. (nychealthandhospitals.org) Department of Health and Human Services. NYC Health + Hospitals is the largest public health system in the United States and serves more than 1 million New Yorkers, according to TechCrunch. ### How did the attackers get in? NYC Health + Hospitals said in its breach notice that the unauthorized actor “may have gained access” to its systems because of a security breach at a third-party vendor. The system did not name the vendor in the public notice. (nychealthandhospitals.org) The notice does not say whether the intrusion involved stolen credentials, malware or a ransom demand. TechCrunch said a spokesperson for the system did not immediately respond to questions including whether the organization had heard from the hackers or received a payment demand. (techcrunch.com) ### What kinds of records were taken? NYC Health + Hospitals said the exposed information varies by person and that not every data element was involved in every case. The system said the data may include health insurance details, medical information such as diagnoses, medications, test results, images and treatment plans, biometric information including fingerprints and palm prints, billing and payment information, and other personal information including Social Security numbers, driver’s license numbers, taxpayer identification numbers, precise geolocation data, financial account information and online account credentials. (nychealthandhospitals.org) (techcrunch.com) TechCrunch reported that the biometric data is especially sensitive because fingerprints and palm prints cannot be changed if stolen. The outlet said NYC Health + Hospitals did not explain in its notice why it stored biometric data, though prospective employees are generally required to provide fingerprints for criminal background checks. ### Why does the vendor detail matter here? The breach notice ties the incident to a third-party vendor rather than to a directly described attack on the hospital system’s own perimeter. HHS says a HIPAA covered entity must notify the secretary without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured protected health information, and a business associate may submit a breach report on behalf of a covered entity. (nychealthandhospitals.org) Malwarebytes wrote this week that third-party incidents can spread widely because people often do not know their data sits with outside contractors. In a separate 2026 case involving Conduent, Malwarebytes said millions of people were affected even though many had never heard of the vendor handling their data. (techcrunch.com) ### What are affected people being told to do? NYC Health + Hospitals said it set up a dedicated response website and a toll-free call center so people can find out whether their information may have been involved. The system said the call line, 844-403-4518, will remain active at least until June 23, 2026, and that the notice will stay posted on its homepage through the same date. (nychealthandhospitals.org) The U.S. Department of Health and Human Services says covered entities must report breaches affecting 500 or more individuals through its online portal, and those reports are listed as cases under investigation. NYC Health + Hospitals said its review to identify affected individuals and the specific data elements involved remains ongoing. (malwarebytes.com) (hhs.gov) (nychealthandhospitals.org)