Results

U.S. Senate Committee on Health, Education, Labor, and Pensions

06/05/2026 | Press release | Distributed by Public on 06/05/2026 08:11

Chairman Cassidy Presses Zohran Mamdani, NYC Hospital on Major Health Breach, Calls for Safeguards to Protect Patients

WASHINGTON - U.S. Senator Bill Cassidy, M.D. (R-LA), Chairman of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, pressed New York Mayor Zohran Mamdani's administration on the recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the U.S.

Over a three-month period, NYC Health + Hospitals allowed hostile actors access to over one million patients' health insurance information, medical information, biometric information, precise geolocation data, and Social Security numbers. Since Mamdani is responsible for overseeing NYC Health + Hospital's activities as Mayor, Cassidy is seeking clarity on how his administration is strengthening cybersecurity to protect the data of New York families.

"At a time when hostile actors are increasingly using sophisticated tactics by leveraging artificial intelligence, it is essential for the health care sector to take meaningful steps to safeguard patient and consumer information," wrote Dr. Cassidy. "The recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the United States, highlights the risk cybersecurity incidents pose to patients."

Background:

As Chairman, Cassidy is leading efforts to protect Americans' private data. Earlier this Congress, the HELP Committee passed Cassidy's Health Care Cybersecurity and Resilience Act to safeguard Americans' health data. He has also investigated several cybersecurity lapses, including those by Hims & Hers, Instructure, OPEXUS and UnitedHealth Group.

Read the full letter here or below:

Dear Dr. Katz,

Cybersecurity threats are one of the most significant risks currently affecting the health care system. In 2025, there were 628 reported health care data breaches, resulting in delayed care, patient data stolen or accessed without authorization, and a potential for increased fraud. At a time when hostile actors are increasingly using sophisticated tactics by leveraging artificial intelligence, it is essential for the health care sector to take meaningful steps to safeguard patient and consumer information.

The recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the United States, highlights the risk cybersecurity incidents pose to patients. NYC Health + Hospitals has stated thus far that "personal information and/or protected health information" including health insurance information, medical information, biometric information, precise geolocation data, and Social Security numbers may have been accessed over a three-month period. NYC Health + Hospitals provides health care services to over one million patients every year, creating a substantial risk to the population NYC Health + Hospitals serves. To better understand the scope and impact of the potential incident, additional information is needed. To that end, I request answers to the following questions by June 18, 2026:

  1. What security protocols, both cyber and physical, does NYC Health + Hospitals have in place to protect against a cyberattack?

  1. How does NYC Health + Hospitals incorporate cybersecurity best practices implemented by other critical infrastructure sectors?

  1. When did NYC Health + Hospitals first become aware of a cyber incident affecting its systems?

  1. When did NYC Health + Hospitals notify federal agencies of a cyber incident, and which agencies did NYC Health + Hospitals notify?

  1. NYC Health + Hospitals has stated that "the affected information may include… health insurance information… medical information… [and] biometric information."

    1. What steps is NYC Health + Hospitals taking to identify any additional information that may have been accessed?

  1. How is NYC Health + Hospitals proactively communicating with potentially impacted individuals and entities?

  1. What remedial steps has NYC Health + Hospitals taken or intend to take to improve its security protocols?

  1. What additional reporting does NYC Health + Hospitals commit to doing for individuals who have had their information disclosed, beyond the reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA)?

Sincerely,

###

For all news and updates from HELP Republicans, visit ourwebsite or Twitter at @GOPHELP.

U.S. Senate Committee on Health, Education, Labor, and Pensions published this content on June 05, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on June 05, 2026 at 14:11 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]