Notice of Data Breach
Mar 24, 2026
Notice of Data Breach
New York City Health and Hospitals Corporation (“NYC Health + Hospitals”) is posting this notice to inform affected individuals about a data security incident that may have affected some of their personal information and/or protected health information, and to provide details about what happened, what information may have been involved, what NYC Health + Hospitals is doing in response, and what resources are available to individuals whose information may have been impacted. NYC Health + Hospitals is providing this notice in accordance with HIPAA regulations, including 45 CFR § 164.404(d)(2). Where required by applicable law, NYC Health + Hospitals is also providing email notice when available and notice to certain major statewide media in print and broadcast.
This notice will remain posted on the home page of NYC Health + Hospitals website through June 23, 2026. Our dedicated toll-free response line, (844) 403-4518, will remain active at least until June 23, 2026 so that individuals can learn whether their information might have been impacted by the incident.
What Happened?
On February 2, 2026, NYC Health + Hospitals discovered suspicious activity affecting certain systems in its computer network and immediately secured its network, began an investigation, and engaged external cybersecurity professionals for support. The investigation determined that an unauthorized actor accessed certain NYC Health + Hospitals’ systems between approximately November 25, 2025 and February 11, 2026, and copied certain files from those systems. NYC Health + Hospitals’ review to identify the individuals, and specific data elements involved remains ongoing. Although the investigation is ongoing, it appears that the unauthorized actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor. This notification was not delayed as a result of a law enforcement investigation.
What Information Was Involved?
Based on the review to date, the information involved varies by individual, the affected information may include one or more of the following, though not every data element was involved for every affected individual:
- Health insurance information (such as plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Medical information (such as medical record numbers, disability codes, diagnoses, medications, test results, images, or treatment plans);
- Biometric information (including fingerprints and palm prints);
- Billing, claims, and payment information; or
- Other personal information such as Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, or online account credentials.
What We Are Doing.
Upon discovering the incident, NYC Health + Hospitals immediately launched a thorough investigation with the support of a leading cybersecurity firm. NYC Health + Hospitals also engaged a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization. The investigation is ongoing.
To protect against future security incidents, NYC Health + Hospitals has taken a number of steps, including deploying additional detection and protective technologies across its network. It reset credentials for all compromised accounts, implemented enhanced detection rules targeting the specific tools and techniques suspected to be used by the unauthorized individual, and updated its remote access management policies to prevent similar unauthorized entry points in the future.
Out of an abundance of caution, NYC Health + Hospitals is making identity theft prevention and mitigation services, including credit monitoring, available through Kroll Information Assurance, LLC for a period of twenty-four (24) months at no cost to all individuals who have, at any time since 2020 (the “Eligibility Period”), been:
- a workforce member of NYC Health + Hospitals; or
- a patient of NYC Health + Hospitals.
If you were a workforce member or patient of NYC Health + Hospitals during the Eligibility Period, visit https://nychealth-hospitalsincident.kroll.com/ or call our toll-free call center at (844) 403-4518.
What You Can Do.
In addition to taking advantage of the above services, NYC Health + Hospitals encourages potentially affected individuals to remain vigilant, to review account statements, explanation-of-benefits statements, and credit reports for suspicious activity, and to report suspected identity theft or fraud promptly. You can find more detailed information about how to take these steps below.
- If online account credentials may have been involved, change the password for the affected account and for any other account on which the same or a similar password was used.
- Enroll in the offered identity protection services, if eligible.
- Review account statements, explanation-of-benefits statements, and credit reports for suspicious activity.
- Report suspected identity theft or fraud promptly to financial institutions, insurers, or other relevant organizations.
- Consider placing a fraud alert or security freeze on your credit file.
- A fraud alert tells creditors to take extra steps to verify your identity before extending credit. An initial fraud alert lasts one year and can be placed by contacting any one of the three major credit reporting agencies listed below that agency will notify the other two.
- A security freeze restricts access to your credit report, making it more difficult for identity thieves to open new accounts in your name. There is no charge to place, temporarily lift, or permanently remove a security freeze. To place a freeze, contact each of the three credit reporting agencies directly using the contact information listed below.
- You have the right to file a police report if you believe you are a victim of identity theft. You may also obtain information from law enforcement about identity theft crimes.
For More Information.
NYC Health + Hospitals regrets any concern or inconvenience this incident may cause. Individuals with questions may call (844) 403-4518, Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (ET) starting on March 24, 2026 and remaining active for at least 90 days. NYC Health + Hospitals will supplement this notice if material additional information is confirmed.
https://nychealth-hospitalsincident.kroll.com
ADDITIONAL RESOURCES
The following resources may be helpful to potentially affected individuals:
| Resource | Contact information |
| Free credit reports | www.annualcreditreport.com | 1-877-322-8228 |
| Identity theft recovery assistance | www.IdentityTheft.gov | 1-877-438-4338 |
| Fraud alerts and security freezes | Equifax: P.O. Box 740241, Atlanta, GA 30374, 1-800-685-1111, www.equifax.com/personal/credit-report-services Experian: P.O. Box 4500, Allen, TX 75013, 1-888-397-3742, www.experian.com TransUnion: P.O. Box 1000, Chester, PA 19016, 1-800-916-8800, www.transunion.com |
Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You may also contact these agencies for information on how to prevent or avoid identity theft.
You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, www.IdentityTheft.gov 1-877-438-4338. You may also contact your local state Attorney General.
- For Connecticut residents: You may contact the Connecticut Attorney General Office, 165 Capitol Avenue, Hartford, CT 06106, https://portal.ct.gov/ag/contact-the-attorney-generals-office/contact-the-attorney-generals-office 860-808-5420.
- For New Jersey residents: You may contact the Office of the Attorney General for the New Jersey Division of Consumer Affairs, 124 Halsey Street, Newark, NJ 07102, https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx 1-800-242-5846.
- For New York residents: You may contact the Office of the Attorney General for the New York Office of Consumer Protection, 123 William Street, New York, NY 10038-3804, https://dos.ny.gov/consumer-protection 1-800-697-1220.
- For Pennsylvania residents: You may contact the Pennsylvania Attorney General Office, 16th Floor, Strawberry Square, Harrisburg, PA 17120, https://www.attorneygeneral.gov/ 717-787-3391.
For residents of all other states: You may contact the Attorney General’s office or consumer protection agency in your state of residence. A directory of state attorney general offices is available at https://www.naag.org/find-my-ag/.
Fair Credit Reporting Act. You also have rights under the Fair Credit Reporting Act, which promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. The FTC has published a list of the primary rights created by the FCRA (https://www.ftc.gov/enforcement/statutes/fair-credit-reporting-act). The FTC’s list of FCRA rights includes:
- You have the right to receive a copy of your credit report. The copy of your report must contain all the information in your file at the time of your request.
- Each of the nationwide credit reporting agencies is required to provide you with a free copy of your credit report, at your request, once every 12 months.
- You are also entitled to a free report if a company takes adverse action against you, like denying your application for credit, insurance, or employment, and you ask for your report within 60 days of receiving notice of the action. The notice will give you the name, address, and phone number of the credit reporting agency. You are also entitled to one free report a year if you are unemployed and plan to look for a job within 60 days; if you are on welfare; or if your report is inaccurate because of fraud, including identity theft.
- You have the right to ask for a credit score.
- You have the right to dispute incomplete or inaccurate information.
- Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
- Consumer reporting agencies may not report outdated negative information.
- Access to your file is limited. You must give your consent for reports to be provided to employers.
- You may limit “prescreened” offers of credit and insurance you receive based on information in your credit report.
- You may seek damages from violators.
- Identity theft victims and active-duty military personnel have additional rights.
