New York City Health + Hospitals, the largest public health system in the United States, reported a data breach affecting approximately 1.8 million patients. The breach was linked to a third-party vendor with access to patient data systems. The incident is among the largest healthcare data breaches reported in 2026, and it illustrates the persistent risk that vendor access relationships create for health systems managing large patient populations.
The exposed data included patient names, dates of birth, medical record numbers, diagnosis codes, treatment information, and in some cases Social Security numbers and insurance information. The breadth of data affected reflects the operational reality of large health systems, where vendors handling billing, scheduling, electronic health records, and administrative functions all require access to patient data to perform their roles.
Healthcare data breaches have increased in frequency and scale as health systems have adopted cloud-based records platforms, AI-assisted clinical tools, and expanded the number of vendor relationships required to support modern hospital operations. The health sector consistently ranks among the most-breached industries in annual reports from HHS Office for Civil Rights.
Artificial intelligence tools that analyze patient data for clinical decision support, predictive analytics, and administrative automation require access to the same sensitive records involved in this breach. As AI adoption in healthcare accelerates, the attack surface created by data access grants to AI vendors and their underlying infrastructure providers grows correspondingly.
NYC Health + Hospitals notified affected patients as required by HIPAA breach notification rules and offered credit monitoring services. The hospital system has 11 hospitals, four nursing facilities, and more than 70 community health centers across the five boroughs.
Source: Healthcare IT News -- https://www.healthcareitnews.com