Community Health Action of Staten Island reports data security incident potentially exposing health information

Community Health Action of Staten Island, a nonprofit organization that provides health services and social support programs for vulnerable populations in Staten Island, New York, has disclosed a data security incident that may have involved unauthorized access to sensitive personal and medical information.

The organization recently notified certain individuals that an unauthorized party gained access to its network and may have obtained records containing personally identifiable information and protected health information. The potentially exposed data includes individuals’ names in combination with Social Security numbers, driver’s license or non-driver identification card numbers, bank account and routing numbers, medical information, and health insurance information.

Community Health Action of Staten Island informed the Massachusetts Attorney General of the incident in a filing dated Feb. 25, 2026. The notice indicates that two Massachusetts residents were affected. The total number of impacted individuals has not been disclosed.

Letters sent to affected individuals state that the organization identified a cybersecurity incident involving unauthorized access to its systems. The specific nature and timeline of the intrusion were not detailed in the notification.

Cybercriminal activity linked to the Genesis ransomware group has been associated with the incident. The group listed Community Health Action of Staten Island on its dark web data leak site and claims to have exfiltrated approximately 200,000 records containing personal and medical data. The alleged dataset includes records associated with HIV testing databases, employee information, and other health records subject to federal health privacy protections.

The incident has not yet appeared on the breach portal maintained by the U.S. Department of Health and Human Services’ Office for Civil Rights, which tracks healthcare data breaches affecting 500 or more individuals.

Community Health Action of Staten Island has offered affected individuals complimentary credit monitoring and identity theft protection services for two years as a precautionary measure.

The organization has not publicly confirmed the scope of the breach or the exact number of individuals whose data may have been compromised.