NYC Health + Hospitals Vendor Breach Exposes 5,728 Patient Records

New York's largest public health system, NYC Health + Hospitals, recently disclosed a data breach affecting 5,728 patients through a third-party vendor incident. The breach highlights ongoing cybersecurity challenges in healthcare's complex vendor ecosystem and demonstrates why robust third-party risk management is essential for HIPAA compliance.

What Happened

On April 9, 2025, NYC Health + Hospitals was notified that Renkim, a subcontractor of one of their vendors, experienced a data security incident. Renkim provides electronic, print, and mail processing services to the health system.

The breach was classified as a hacking/IT incident affecting the vendor's network server. NYC Health + Hospitals reported the incident to the U.S. Department of Health and Human Services (HHS) on June 6, 2025, nearly two months after being notified of the incident.

The health system also published a "Notification of Possible PHI Disclosure" on their website the same day they filed their HHS report, fulfilling their HIPAA breach notification requirements.

Who Is Affected

The data breach impacted 5,728 patients of NYC Health + Hospitals. As the largest public health system in the United States, NYC Health + Hospitals operates 11 acute care hospitals, five post-acute care facilities, six diagnostic and treatment centers, and more than 70 community-based primary care sites across the five boroughs.

While the breach affected a relatively small percentage of the health system's patient population, any unauthorized access to protected health information (PHI) represents a serious privacy violation with potential consequences for affected individuals.

Breach Details

The incident occurred at Renkim, which serves as a subcontractor providing electronic, print, and mail processing services. This type of vendor relationship is common in healthcare, where covered entities often rely on business associates and their subcontractors to perform essential functions.

Key timeline details include:

• April 9, 2025: NYC Health + Hospitals notified of the incident
• June 6, 2025: Breach reported to HHS and public notification issued

The nearly two-month delay between notification and public disclosure falls within HIPAA's 60-day breach notification timeline, though it raises questions about the investigation period required to assess the full scope of the incident.

The breach was classified as a hacking/IT incident affecting network servers, suggesting cybercriminals gained unauthorized access to Renkim's systems. However, specific details about the attack method, whether ransomware was involved, or the exact type of data accessed were not disclosed in available documentation.

What This Means for Patients

For the 5,728 affected patients, this breach represents a potential exposure of their protected health information. While specific details about the types of data compromised weren't provided, PHI typically includes:

• Names and demographic information
• Medical record numbers
• Health insurance information
• Treatment and diagnosis details
• Potentially Social Security numbers or other identifiers

Patients should monitor their medical records and insurance statements for any unauthorized activity. Any suspicious activity should be reported immediately to healthcare providers and insurance companies.

The timing of this breach is particularly significant given New York State's recent enhancement of hospital cybersecurity requirements. The New York State Department of Health published new hospital cybersecurity requirements codified at 10 NYCRR § 405.46, which build upon existing HIPAA protections to better safeguard patient data.

How to Protect Yourself

If you're a patient of NYC Health + Hospitals, consider taking these protective steps:

Immediate Actions:

1. Monitor medical records: Review all medical statements and insurance explanations of benefits for unauthorized services
2. Check credit reports: Look for medical debt or accounts you didn't open
3. Watch for medical identity theft: Be alert to insurance claims for services you didn't receive

Ongoing Vigilance:

1. Set up account alerts: Enable notifications for medical and insurance accounts when possible
2. Verify provider communications: Be suspicious of unexpected medical bills or insurance communications
3. Report suspicious activity: Contact your healthcare provider and insurance company immediately if you notice irregularities

Documentation:

1. Keep records: Save all communications related to the breach
2. Document concerns: Note any suspicious activity with dates and details

Unfortunately, the available breach notice doesn't indicate whether NYC Health + Hospitals or Renkim is offering credit monitoring services to affected patients.

Prevention Lessons for Healthcare Providers

This incident underscores critical lessons for healthcare organizations managing vendor relationships:

Third-Party Risk Management:

• Conduct thorough security assessments of all business associates and subcontractors
• Require vendors to maintain cybersecurity insurance and incident response plans
• Implement continuous monitoring of vendor security practices
• Establish clear contractual obligations for breach notification timelines

Business Associate Agreements:

• Ensure all business associate agreements (BAAs) include subcontractor requirements
• Require vendors to obtain equivalent protections from their subcontractors
• Include specific incident response and notification requirements
• Establish clear liability and responsibility frameworks

Incident Response:

• Develop procedures for vendor-related incidents
• Establish communication protocols with business associates
• Create templates for patient notifications and regulatory reporting
• Practice incident response scenarios involving third parties

Compliance with State Requirements: With New York's enhanced cybersecurity requirements now in effect, healthcare providers must ensure their vendor management practices meet both HIPAA and state-specific requirements. The new regulations at 10 NYCRR § 405.46 add additional layers of protection that complement federal HIPAA requirements.

Regular Auditing:

• Conduct periodic security assessments of vendor relationships
• Review and update business associate agreements regularly
• Monitor vendor compliance with security requirements
• Maintain an inventory of all third-party relationships and their risk levels

The NYC Health + Hospitals breach serves as a reminder that healthcare cybersecurity extends far beyond an organization's own network. In today's interconnected healthcare ecosystem, protecting patient data requires comprehensive oversight of every vendor, contractor, and subcontractor with access to PHI.

For healthcare providers, this incident highlights the importance of treating third-party risk management as a core component of HIPAA compliance strategy, not an afterthought.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.