NYC Health + Hospitals Discloses Two Separate Third‑Party Data Breaches Exposing Over 90,000 Patient Records
What Happened – Hackers accessed NYC Health + Hospitals’ network for nearly three months via a security breach at an unnamed third‑party vendor, stealing extensive patient data. A second, unrelated breach at the National Association on Drug Abuse Programs (NADAP), a care‑management partner, exposed the records of 5,086 of NYC Health’s patients and an estimated 90,000 individuals across NADAP’s client base.
Why It Matters for TPRM –
- Third‑party vulnerabilities can give attackers prolonged footholds in critical healthcare environments.
- Sensitive health, biometric, and financial data were exfiltrated, raising compliance and liability risks.
- Multiple vendors were compromised within weeks, highlighting the need for continuous vendor risk monitoring.
Who Is Affected – Public‑sector healthcare providers, care‑management agencies, and any downstream organizations that rely on NADAP’s services.
Recommended Actions –
- Review all third‑party contracts for security clauses and breach‑notification obligations.
- Conduct immediate security assessments of any vendors with network access to PHI.
- Enforce least‑privilege access, multi‑factor authentication, and continuous monitoring of vendor activity.
Technical Notes – Attack vector: exploitation of a third‑party vendor’s security weakness (likely misconfiguration or credential compromise). No specific CVEs were disclosed. Compromised data includes health insurance details, diagnoses, medication lists, biometric prints, billing claims, Social Security numbers, driver’s license numbers, geolocation, and payment‑card information. Source: DataBreachToday