By HFT Staff

On February 2, 2026, NYC Health + Hospitals discovered suspicious activity affecting certain systems in its computer network and immediately secured its network, began an investigation and engaged external cybersecurity professionals for support. The investigation determined that an unauthorized actor accessed certain NYC Health + Hospitals’ systems between approximately November 25, 2025, and February 11, 2026, and copied certain files from those systems.  

NYC Health + Hospitals’ review to identify the individuals and specific data elements involved remains ongoing. Although the investigation is ongoing, it appears that the unauthorized actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor. This notification was not delayed as a result of a law enforcement investigation. 

Based on the review to date, the information involved varies by individual, the affected information may include one or more of the following, though not every data element was involved for every affected individual: 

• Health insurance information (such as plans/policies, insurance companies, member/group ID numbers and Medicaid-Medicare-government payor ID numbers); 
• Medical information (such as medical record numbers, disability codes, diagnoses, medications, test results, images, or treatment plans); 
• Biometric information (including fingerprints and palm prints); 
• Billing, claims, and payment information; or 
• Other personal information such as Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials or online account credentials. 

Upon discovering the incident, NYC Health + Hospitals immediately launched a thorough investigation with the support of a leading cybersecurity firm. NYC Health + Hospitals also engaged a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization. The investigation is ongoing. 

To protect against future security incidents, NYC Health + Hospitals has taken a number of steps, including deploying additional detection and protective technologies across its network. It reset credentials for all compromised accounts, implemented enhanced detection rules targeting the specific tools and techniques suspected to be used by the unauthorized individual and updated its remote access management policies to prevent similar unauthorized entry points in the future.