NYC Health and Hospitals data breach affected 1.8 million individuals

New York City Health and Hospitals Corporation said a third party vendor breach enabled hackers to steal the data of 1.8 million people from its network between November and February.
 
The municipal healthcare provider first announced the data breach in a press release on its website on March 24, stating that it detected suspicious activity affecting certain systems in its internal network on February 2 and promptly launched an investigation to determine the nature and scope of the suspicious activity.

 

The investigation, conducted with help from external cyber security professionals, later determined that cyber criminals successfully infiltrated its systems on November 25, 2025, and exfiltrated stored data until the malicious access was severed on February 11.

 

"Although the investigation is ongoing, it appears that the unauthorised actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor," the provider said, adding that it was still in the process of identifying individuals whose data was impacted by the security incident.

 

NYC Health + Hospitals is the largest municipal healthcare delivery system in the United States, providing comprehensive healthcare services through a network of more than 70 patient care facilities to people living in all five boroughs of New York. 

 

The healthcare provider has a staff of more than 45,000 people who provide home care services, correctional health services, rehabilitation services, and long-term care. NYC Health + Hospitals also offers a health plan known as MetroPlus which presently covers more than 700,000 people living in and around the city of New York.

 

The healthcare provider said the data breach compromised patients’ detailed healthcare information, including their health insurance plan details, Medicare ID numbers, list of policies and names of insurance companies as well as their medical record numbers, disability codes, diagnoses, medications, test results, images, or treatment plans.

 

The data breach also compromised patients’ biometric details, such as their fingerprints or palm prints, as well as payment information such as online account credentials, credit and debit card numbers, taxpayer identification numbers, IRS-issued identity protection numbers and government-issued identification numbers.

 

The healthcare provider notified the U.S. Department of Health and Human Services Office for Civil Rights that the data breach incident affected approximately 1.8 million patients. The number of affected individuals was published on the OCR portal on Monday.

 

"To protect against future security incidents, NYC Health + Hospitals has taken a number of steps, including deploying additional detection and protective technologies across its network," the provider said.

 

"It reset credentials for all compromised accounts, implemented enhanced detection rules targeting the specific tools and techniques suspected to be used by the unauthorized individual, and updated its remote access management policies to prevent similar unauthorized entry points in the future."

 

NYC Health + Hospitals is providing two years of complimentary identity theft prevention and mitigation services, including credit monitoring services, through Kroll to all affected patients and employees to help protect their personal information from misuse.