Key Takeaways
- Senator Bill Cassidy (R‑LA), chairman of the Senate HELP Committee, sent a June 4 letter to NYC Health + Hospitals CEO Michael Katz, M.D., requesting details about a cybersecurity breach discovered in late 2025.
- The breach, identified on February 2, 2025, involved unauthorized access to the health system’s networks from November 25, 2024, through February 11, 2025, likely stemming from a third‑party vendor vulnerability.
- Affected data varied per individual and could include health insurance, medical, biometric, billing, claims, payment, Social Security numbers, and precise geolocation information.
- NYC Health + Hospitals notified affected individuals on March 24, 2025, stating the notice was not delayed by any law‑enforcement investigation.
- Cassidy emphasized that cybersecurity threats are among the gravest risks to health care, citing 628 reported breaches in 2025 and urging stronger safeguards, especially as attackers increasingly use AI‑driven tactics.
- The senator asked for specifics on remedial steps taken or planned, any additional reporting beyond HIPAA requirements, and clarification of the organization’s security protocols and best practices.
- The Health Care Cybersecurity and Resilience Act, co‑sponsored by Cassidy and bipartisan colleagues, was reintroduced in December 2024 and advanced out of the HELP Committee in February 2025, aiming to fortify health‑data protection nationwide.
Background on the Senator’s Inquiry
Senator Bill Cassidy, M.D., chairman of the Senate Health, Education, Labor and Pensions (HELP) Committee, initiated a formal request for information from New York City’s public hospital system after learning of a significant cybersecurity incident. In his June 4 letter addressed to CEO Michael Katz, M.D., Cassidy cited the breach as a stark illustration of the vulnerabilities facing the nation’s largest public health system. He asked for a comprehensive account of the incident’s discovery, the scope of compromised data, the response undertaken, and any planned improvements to security infrastructure. The senator set a June 18 deadline for responses, underscoring the urgency he attaches to safeguarding patient information in an era of escalating cyber threats.
Details of the Breach Timeline and Discovery
According to NYC Health + Hospitals, suspicious activity was first detected on February 2, 2025, within certain segments of its network. A subsequent forensic investigation traced the unauthorized access window to between November 25, 2024, and February 11, 2025. The system indicated that the intrusion likely originated from a security weakness in a third‑party vendor’s software or services, which allowed an external actor to penetrate the hospital’s defenses. Importantly, the organization asserted that the timing of its public notification was not influenced by any ongoing law‑enforcement probe, aiming to demonstrate transparency despite the incident’s severity.
Scope of Compromised Information
The breach exposed a heterogeneous set of personal data, with the exact elements varying from one affected individual to another. NYC Health + Hospitals disclosed that the compromised information could encompass health insurance details, medical records, biometric identifiers, billing and claims data, payment information, Social Security numbers, and precise geolocation data. This breadth of potentially exposed data amplifies the risk of identity theft, medical fraud, and privacy violations, prompting the senator’s concern about the adequacy of existing protective measures and the need for robust remediation.
Notification Process and Regulatory Context
On March 24, 2025, the health system began notifying individuals whose data may have been accessed, adhering to the timelines prescribed under the Health Insurance Portability and Accountability Act (HIPAA). The organization emphasized that the notification was not delayed by any law‑enforcement investigation, attempting to preempt criticism about tardy disclosure. Nevertheless, Cassidy’s letter seeks clarification on whether the organization fulfilled all federal and state reporting obligations, and whether it intends to exceed the minimum HIPAA requirements by offering additional outreach or support to impacted patients.
Senator Cassidy’s Emphasis on Cybersecurity Risks
In his correspondence, Senator Cassidy characterized cybersecurity threats as “one of the most significant risks currently affecting the health care system,” referencing a reported total of 628 breaches in 2025. He warned that hostile actors are increasingly employing sophisticated tactics, including the use of artificial intelligence, to exploit vulnerabilities. By highlighting the NYC Health + Hospitals incident, Cassidy aimed to underscore that even the nation’s largest public health provider is not immune to such attacks, reinforcing the imperative for proactive, sector‑wide defenses.
Request for Remedial Actions and Enhanced Reporting
The senator specifically asked NYC Health + Hospitals officials to detail the remedial steps already taken or planned to strengthen security protocols. This includes inquiries into patch management, vendor risk assessments, employee training, intrusion detection systems, and incident‑response planning. Furthermore, Cassidy pressed the organization to describe any additional reporting commitments it has undertaken for affected individuals beyond the mandatory HIPAA notifications—such as offering credit‑monitoring services, identity‑theft protection, or dedicated help‑lines—to mitigate potential harms stemming from the breach.
Broader Landscape of Healthcare Data Breaches in 2025
The NYC Health + Hospitals breach fits within a troubling trend: according to the U.S. Department of Health and Human Services’ breach portal, 435 healthcare data breaches affecting 500 or more individuals were reported in 2025. Notably, several incidents dwarfed the NYC event in scale; for example, a breach at business associate Conduent Business Services compromised the data of roughly 62 million individuals. Senator Cassidy has been actively investigating other major lapses, including those involving OPEXUS and UnitedHealth Group, reflecting his broader commitment to holding healthcare entities accountable for safeguarding sensitive information.
Legislative Efforts: The Health Care Cybersecurity and Resilience Act
In response to the escalating threat environment, Senator Cassidy, alongside Senators Maggie Hassan (D‑NH), John Cornyn (R‑TX), and Mark Warner (D‑VA), reintroduced the Health Care Cybersecurity and Resilience Act in December 2024. The bill aims to fortify the nation’s health‑data infrastructure by establishing baseline cybersecurity standards, mandating regular risk assessments, improving information sharing between federal agencies and private providers, and providing grants for small‑ and medium‑sized organizations to upgrade defenses. The legislation successfully advanced out of the Senate HELP Committee in February 2025, signaling bipartisan recognition of the need for stronger protective measures amid rising cyber threats.
Conclusion and Implications for Stakeholders
Senator Cassidy’s inquiry serves as a catalyst for heightened scrutiny of cybersecurity practices within the nation’s largest public health system. By demanding transparency about the breach’s origins, scope, response, and future safeguards, the senator seeks to ensure that NYC Health + Hospitals—and by extension, similar institutions—adopt rigorous, forward‑looking defenses. The outcome of this oversight could influence forthcoming regulatory guidance, shape the implementation of the Health Care Cybersecurity and Resilience Act, and ultimately bolster patient trust in an increasingly digital healthcare landscape. As threats evolve, proactive collaboration between legislators, health‑system leaders, vendors, and cybersecurity experts will be essential to protect the confidentiality, integrity, and availability of vital health information.