Sen. Bill Cassidy (MD, R-Louisiana), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is seeking information from New York City officials regarding a cybersecurity breach that occurred in late 2025 at NYC Health + Hospitals, the nation’s largest public health system.
The lawmaker is seeking answers from CEO Michael Katz, M.D., about the system’s security protocols, best practices, notification authorities and how to respond to incidents. mayor of new york The Zoran Mamdani government is also mentioned in the June 4 letter (PDF).
Cassidy has given officials until June 18th to respond.
NYC Health + Hospital notified affected individuals about the data security incident on March 24th. The system announced that it discovered suspicious activity affecting certain systems within its network on February 2nd, and that subsequent investigation revealed that an unauthorized user had accessed the system between November 25th and February 11th.
Preliminary investigation indicates that the user may have gained access to the system through a security breach from a third-party vendor. The system said the notification was not delayed as a result of the law enforcement investigation.
The information affected varies by individual, but the system was stated to include health insurance information. Medical information. Biological information. Billing, billing or payment information. or other personal information, such as social security number or precise geolocation data.
“Cybersecurity threats are among the most significant risks currently impacting healthcare systems,” Cassidy said in the letter, citing 628 breaches reported in 2025.
“As hostile actors increasingly use sophisticated tactics powered by artificial intelligence, it is imperative that the healthcare sector takes meaningful steps to protect patient and consumer information,” Cassidy wrote. “The recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the United States, has highlighted the risks cybersecurity incidents pose to patients.”
Cassidy is asking NYC Health + Hospitals officials for more information about what corrective actions the organization has taken or is planning to take to improve its security protocols. He also pressed health system officials to outline additional reporting that organizations are committed to making to individuals whose information has been disclosed, beyond reporting requirements under HIPAA.
According to the U.S. Department of Health and Human Services’ Breach Portal, there were 435 healthcare data breaches in 2025. These numbers only represent breaches that affected 500 or more people and are required by the federal government to be reported to Health and Human Services.
In 2025, there were a number of data breaches much larger than the New York City Health and Hospitals incident. This includes our trading partner Conduent Business Services, which reported a data breach that affected 62 million individuals.
Cassidy has stepped up scrutiny of major health data breaches and is leading investigations into several cybersecurity lapses, including those by OPEXUS and UnitedHealth Group.
In December, Cassidy and Sens. Maggie Hassan (D-NH), John Cornyn (R-TX), and Mark Warner (D-VA) reintroduced the Healthcare Cybersecurity and Resilience Act to protect Americans’ health data by strengthening cybersecurity. The bill was introduced by the Senate Support Committee in February.
