Senate Committee Demands Answers on NYC Health + Hospitals Cybersecurity Breach

The Senate Health, Education, Labor, and Pensions (HELP) Committee is pressing New York City officials for answers following a significant cybersecurity breach at NYC Health + Hospitals, the largest public health system in the United States. Chairman Sen. Bill Cassidy, M.D., R-La., has sent a letter to CEO Michael Katz, M.D., demanding detailed information on the incident and the steps taken to mitigate its impact.

The breach, which was discovered on February 2, 2026, involved unauthorized access to certain systems within NYC Health + Hospitals' network between November 25, 2025, and February 11, 2026. The hospital system notified affected individuals on March 24, revealing that the breach may have been facilitated by a security lapse at a third-party vendor.

Sen. Cassidy's letter, dated June 4, 2026, requests information on the health system’s security protocols, best practices, and the agencies notified about the incident. The senator also wants to know how NYC Health + Hospitals has responded to the breach and what measures are in place to prevent future incidents. Responses are due by June 18.

The affected data varied by individual but could include sensitive information such as health insurance details, medical records, biometric data, billing and payment information, Social Security numbers, and precise geolocation data. The hospital system has emphasized that the delay in notification was not due to any ongoing law enforcement investigation.

Cybersecurity Challenges in Healthcare

Cybersecurity threats are a growing concern for healthcare providers, with 628 reported breaches in 2025 alone. Sen. Cassidy highlighted this alarming trend in his letter, noting that hostile actors are increasingly using sophisticated tactics, including artificial intelligence (AI), to gain unauthorized access to sensitive information.

"Healthcare systems must take meaningful steps to safeguard patient and consumer information," Cassidy wrote. "At a time when these threats are becoming more advanced, it is essential for the healthcare sector to implement robust security measures."

The use of AI in healthcare has expanded rapidly, with applications ranging from diagnostic tools to administrative functions. However, not all AI systems are created equal, and they must navigate strict regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union.

In May 2026, EU regulations for medical devices incorporating AI came into effect, with high-risk enforcement set to begin on August 2, 2026. These regulations aim to ensure that AI systems used in healthcare are safe and reliable, while also protecting patient data from breaches.

What Comes Next

The Senate HELP Committee's inquiry into the NYC Health + Hospitals breach underscores the growing importance of cybersecurity in the healthcare sector. As hospitals and other providers continue to digitize their operations, they must remain vigilant against cyber threats that can compromise patient privacy and operational integrity.

The responses from NYC Health + Hospitals and New York City officials will be crucial in understanding the scope and impact of the breach. They will also provide insights into best practices for preventing similar incidents in the future. Sen. Cassidy's push for transparency and accountability is a step toward ensuring that healthcare systems are better prepared to protect their patients' sensitive information.

As the deadline for responses approaches, stakeholders in the healthcare industry will be watching closely to see how this case unfolds and what lessons can be learned for enhancing cybersecurity measures across the board.