NEW YORK —Credit unions in the New York area are going to want to caution members as NYC Health + Hospitals said a cybersecurity breach affecting its computer network may have exposed sensitive personal, financial and medical information belonging to patients and employees dating back to 2020, affecting approximately 1.8 million people.
In a notice posted March 24, NYC Health + Hospitals said it discovered suspicious activity affecting certain systems in its network on Feb. 2 and immediately secured the systems, launched an investigation and hired outside cybersecurity specialists.
According to NYC Health + Hospitals, investigators determined an unauthorized actor accessed certain systems between approximately Nov. 25, 2025, and Feb. 11, 2026, and copied files from those systems. The health system said its review of the affected individuals and data involved remains ongoing.
Third Party Vendor May be Culprit
NYC Health + Hospitals said the breach may have stemmed from a security incident involving a third-party vendor. The organization said notification to affected individuals was not delayed by any law enforcement investigation.
The information potentially exposed varies by individual and may include:
- Health insurance information, including policy and member identification numbers
- Medical information, such as medical record numbers, diagnoses, medications, test results, images and treatment plans
- Biometric information, including fingerprints and palm prints
- Billing, claims and payment information
- Personal information such as Social Security numbers, driver’s license or other government-issued identification numbers, taxpayer identification numbers, financial account information, online account credentials and precise geolocation data.
NYC Health + Hospitals said not every type of information was involved for every individual.
Investigation Underway
The organization said it hired what it described as a leading cybersecurity firm to investigate the incident and also retained a data analytics company to review the files that may have been accessed.
According to NYC Health + Hospitals, the system has since deployed additional detection and security technologies across its network, reset credentials for compromised accounts, enhanced detection rules targeting the tools and techniques believed to have been used in the intrusion and updated remote access management policies.
NYC Health + Hospitals said it will offer free identity theft protection and credit monitoring services through Kroll Information Assurance for 24 months to all individuals who have been patients or workforce members of the system at any time since 2020.
