NYC Health, GitHub hit by breaches

NYC Health + Hospitals disclosed on March 24 that an unauthorized actor accessed certain systems between November 25, 2025 and February 11, 2026 and copied files from them. The public hospital system said it discovered suspicious activity on February 2, secured its network and brought in outside cybersecurity specialists. The notice said the actor may have gained access through a security breach at a third-party vendor. The data categories listed by NYC Health + Hospitals were unusually broad. The system said affected information may include health insurance details, medical information, billing and payment data, Social Security numbers and other government identifiers, online account credentials, and biometric information including fingerprints and palm prints. The review of exactly which people and which data elements were involved is still ongoing, it said. (nychealthandhospitals.org) GitHub said on May 20 that it was investigating unauthorized access to internal repositories after detecting and containing a compromise of an employee device involving a poisoned Visual Studio Code extension. In statements cited by multiple cybersecurity outlets, GitHub said it removed the malicious extension version, isolated the endpoint and began incident response immediately. (nychealthandhospitals.org) GitHub’s current assessment is that the activity involved GitHub-internal repositories only. The company said an attacker claim that about 3,800 repositories were involved was “directionally consistent” with its investigation so far, according to reports citing GitHub’s public statements. GitHub also said there was no evidence that customer data stored outside the affected repositories had been compromised, though the investigation remains ongoing. (securityaffairs.com) Taken together, the two incidents show different parts of the same problem. NYC Health + Hospitals is dealing with the exposure of highly sensitive healthcare, identity and biometric records after a months-long intrusion tied, by its account, to a third-party vendor. GitHub is dealing with a developer-tool compromise that appears to have reached internal code repositories through an employee endpoint. In both cases, the initial point of failure appears to sit outside the most obvious perimeter: a supplier connection in one case, a trusted software extension in the other. (securityaffairs.com) That matters because many organizations now depend on digital intermediaries for routine operations. Hospital systems rely on vendors, remote access tools and data-sharing partners; software companies rely on code editors, extensions and developer marketplaces. When those layers are compromised, the damage is not limited to stolen files. It can also affect access to documentation, service portals, update channels and the systems people use to deliver care or maintain code. (nychealthandhospitals.org) This is an inference drawn from the attack paths described in the two disclosures. NYC Health + Hospitals said its toll-free response line will remain active through at least June 23, 2026, and that its breach notice will stay on its homepage through that date. GitHub said its incident response is continuing as it investigates the scope of repository access and the claims made by the actor behind the intrusion. (nychealthandhospitals.org)