Notice of Data Breach NYC Health + Hospitals

Articles

The Permanent Price of a Healthcare Breach

ByKayne May 21, 2026May 21, 2026

Key quote:

Based on the review to date, the information involved varies by individual, the affected information may include one or more of the following, though not every data element was involved for every affected individual: … Biometric information (including fingerprints and palm prints); … precise geolocation data, credit or debit card numbers, financial account information or credentials, or online account credentials.

Why it matters:

This isn’t just another headline about stolen Social Security numbers. The NYC Health + Hospitals breach, which compromised 1.8 million individuals personal data between November 2025 and February 2026, crosses a dangerous line because it includes fingerprints and palm prints. Passwords can be reset; credit cards can be cancelled. But you can’t change your biometrics, despite what we see in movies. Once those prints are in the wild, the vulnerability is permanent. If even a fraction of those 1.8 million affected patients reside in Illinois, the Illinois Biometric Information Privacy Act (BIPA) is going to get shouty about this one. Apparently, prospective employees are required to submit fingerprints for background checks, which explains the data’s presence, but it doesn’t excuse the failure to protect it or to keep it around for long.

Then there’s the “precise geolocation data.” This isn’t just metadata; it’s a potential map of a patient’s life. Reconstructing movement patterns could expose visits to addiction treatment centers, mental health clinics, or HIV/AIDS support groups. The stigma attached to these conditions is real, and the potential for blackmail or discrimination is immediate.

And the silence on the vendor’s identity is the most telling part of this story. It mirrors the early days of the Target breach back in 2013, where the third-party entry point was the weak link. NYC Health + Hospitals has claimed the attack came through a compromised vendor, but hasn’t named them. That silence invites scrutiny. Regulators and plaintiffs’ attorneys will soon demand proof of vendor due diligence, Business Associate Agreements, and access monitoring. The fact that the breach went undetected for nearly three months suggests a failure in those very controls, and also that the third party might be associated with other breaches. With law firms already looking to file class action lawsuits, the legal reckoning is inevitable. This isn’t just a data loss; it’s a loss of trust for a system serving more than a million New Yorkers every year.

Articles

The EU AI Act Delay That Wasn’t a Loophole
ByKayne May 11, 2026May 11, 2026

Key quote: Today’s agreement on the AI act significantly supports our companies by reducing recurring administrative costs. It ensures legal certainty and a smoother and more harmonised implementation of the rules across the Union, strengthening EU’s digital sovereignty and overall competitiveness. At the same time, we are stepping up the protection of children targeting risks…

Read More The EU AI Act Delay That Wasn’t a Loophole
Articles

AI Wins in Colorado Legislature
ByKayne May 12, 2026May 12, 2026

Key quote: The bill establishes consumer notice requirements, mandating that deployers provide clear and conspicuous notice to consumers at the point of interaction with a covered ADMT. A deployer is required to provide a consumer with a plain language description of a covered ADMT’s role within 30 days after the covered ADMT makes a consequential…

Read More AI Wins in Colorado Legislature
Articles

3,800 Repos, One Extension, Zero Excuses
Byhostinger.rake304 May 20, 2026May 20, 2026

Key quote: 1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub’s internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately. Why it matters: One developer at…

Read More 3,800 Repos, One Extension, Zero Excuses
Articles

Regulators Are Blinking. Your AI Risks Aren’t Waiting.
ByKayne May 14, 2026May 13, 2026

It was a pleasure joining Aashis Luitel and Tristan Ingold on Sprinto’s webinar today. We covered a lot of ground in an hour, but here’s what I keep coming back to: the worst thing leaders can do right now is wait. The timing of the webinar was comedy gold. Days before we chatted about AI…

Read More Regulators Are Blinking. Your AI Risks Aren’t Waiting.
Articles

Compliance Paperwork Won’t Save You From a Vendor Breach
ByKayne May 7, 2026May 7, 2026

Key quote: All of Marquis Software Solutions, Inc.’s deadlines in the above-captioned action are stayed pending the parties’ mediation efforts. Why it matters: The litigation surrounding the Marquis Software Solutions breach is currently taking a break for mediation, as seen in the April 6, 2026, Order in In Re Marquis Software Solutions, Inc. Data Breach Litigation (Case…

Read More Compliance Paperwork Won’t Save You From a Vendor Breach
Articles

When Zero-Days Are Cheap, Attack Surface Is A Liability
ByKayne May 13, 2026May 12, 2026

I loved being a guest on today’s Cyber Risk Alliance webinar with Adrian and wanted to share some of my additional notes and thoughts in case you missed the live show (or prefer reading my weekly newsletter). The Mythos and Daybreak hype cycle’s missing the whole point. Niels Provos proved it with his IronCurtain framework: swap…

Read More When Zero-Days Are Cheap, Attack Surface Is A Liability

Understand the stories that matter.

Similar Posts