Notice of Data Breach

New York City Health + Hospitals Corporation (“NYC Health + Hospitals”) is posting this notice to inform affected individuals about a data security incident that may have affected some of their personal information and/or protected health information, and to provide details about what happened, what information may have been involved, what NYC Health + Hospitals is doing in response, and what resources are available to individuals whose information may have been impacted. NYC Health + Hospitals is providing this notice in accordance with HIPAA regulations, including 45 CFR § 164.404(d)(2). Where required by applicable law, NYC Health + Hospitals is also providing email notice when available and notice to certain major statewide media in print and broadcast.

This notice will remain posted on the home page of NYC Health + Hospitals website through June 23, 2026. Our dedicated toll-free response line, (844) 403-4518, will remain active at least until June 23, 2026 so that individuals can learn whether their information might have been impacted by the incident.

What Happened?

On February 2, 2026, NYC Health + Hospitals discovered suspicious activity affecting certain systems in its computer network and immediately secured its network, began an investigation, and engaged external cybersecurity professionals for support. The investigation determined that an unauthorized actor accessed certain NYC Health + Hospitals’ systems between approximately November 25, 2025 and February 11, 2026, and copied certain files from those systems. NYC Health + Hospitals’ review to identify the individuals, and specific data elements involved remains ongoing. Although the investigation is ongoing, it appears that the unauthorized actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor. This notification was not delayed as a result of a law enforcement investigation.

What Information Was Involved?

Based on the review to date, the information involved varies by individual, the affected information may include one or more of the following, though not every data element was involved for every affected individual:
• Health insurance information (such as plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Medical information (such as medical record numbers, disability codes, diagnoses, medications, test results, images, or treatment plans);
• Biometric information (including fingerprints and palm prints);
• Billing, claims, and payment information; or
• Other personal information such as Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, or online account credentials.

What We Are Doing.

Upon discovering the incident, NYC Health + Hospitals immediately launched a thorough investigation with the support of a leading cybersecurity firm. NYC Health + Hospitals also engaged a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization. The investigation is ongoing. To protect against future security incidents, NYC Health + Hospitals has taken a number of steps, including deploying additional detection and protective technologies across its network. It reset credentials for all compromised accounts, implemented enhanced detection rules targeting the specific tools and techniques suspected to be used by the unauthorized individual, and updated its remote access management policies to prevent similar unauthorized entry points in the future. Out of an abundance of caution, NYC Health + Hospitals is making identity theft prevention and mitigation services, including credit monitoring, available through Kroll Information Assurance, LLC for a period of twenty-four (24) months at no cost to all individuals who have, at any time since 2020 (the “Eligibility Period”), been:
• a workforce member of NYC Health + Hospitals; or
• a patient of NYC Health + Hospitals.

If you were a workforce member or patient of NYC Health + Hospitals during the Eligibility Period, visit NYCHealth_Hospitalsincident.kroll.com or call our toll-free call center at (844) 403-4518.

What You Can Do.

In addition to taking advantage of the above services, NYC Health + Hospitals encourages potentially affected individuals to remain vigilant, to review account statements, explanation-of-benefits statements, and credit reports for suspicious activity, and to report suspected identity theft or fraud promptly. You can find more detailed information about how to take these steps below.

• If online account credentials may have been involved, change the password for the affected account and for any other account on which the same or a similar password was used.
• Enroll in the offered identity protection services, if eligible.
• Review account statements, explanation-of-benefits statements, and credit reports for suspicious activity.
• Report suspected identity theft or fraud promptly to financial institutions, insurers, or other relevant organizations.
• Consider placing a fraud alert or security freeze on your credit file.

  • A fraud alert tells creditors to take extra steps to verify your identity before extending credit. An initial fraud alert lasts one year and can be placed by contacting any one of the three major credit reporting agencies listed below that agency will notify the other two.

  • A security freeze restricts access to your credit report, making it more difficult for identity thieves to open new accounts in your name. There is no charge to place, temporarily lift, or permanently remove a security freeze. To place a freeze, contact each of the three credit reporting agencies directly using the contact information listed below.

• You have the right to file a police report if you believe you are a victim of identity theft. You may also obtain information from law enforcement about identity theft crimes.

For More Information.

NYC Health + Hospitals regrets any concern or inconvenience this incident may cause. Individuals with questions may call (844) 403-4518, Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (ET) starting on March 24, 2026 and remaining active for at least 90 days. NYC Health + Hospitals will supplement this notice if material additional information is confirmed.

To activate monitoring services for adults the age of 18 and over click here.


Adult Activate Now

Activate Adult Identity Monitoring Services:

Single Bureau

You will receive alerts when there are changes to your credit data—for instance, when a new line of credit is applied for in your name. If you do not recognize the activity, you’ll have the option to call a Kroll fraud specialist, who can help you determine if it’s an indicator of identity theft. To receive credit services, you must be over the age of 18 and have established credit in the U.S., have a Social Security number in your name, and have a U.S. residential address associated with your credit file.

Fraud Consultation

You have unlimited access to consultation with a Kroll fraud specialist. Support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event.

Identity Theft Restoration

If you become a victim of identity theft, an experienced Kroll licensed investigator will work on your behalf to resolve related issues. You will have access to a dedicated investigator who understands your issues and can do most of the work for you. Your investigator can dig deep to uncover the scope of the identity theft, and then work to resolve it.

ADDITIONAL RESOURCES

Copyright © 2021 Kroll - All Rights Reserved. | Privacy Policy