Senate Health, Education, Labor and Pensions (HELP) Committee Chairman Sen. Bill Cassidy, M.D., R-La., is seeking information from New York City officials about a late 2025 cybersecurity breach at NYC Health + Hospitals, the largest public U.S. health system.
The legislator wants answers from CEO Michael Katz, M.D., on the system’s security protocols, best practices, notified agencies and how it has responded to the incident. New York Mayor Zohran Mamdani’s administration was also cited in the June 4 letter (PDF).
Cassidy is seeking responses from officials by June 18.
NYC Health + Hospitals notified affected individuals March 24 about a data security incident. The system said it discovered suspicious activity Feb. 2 affecting certain systems in its network, with a subsequent investigation determining an unauthorized user accessed systems between Nov. 25 and Feb. 11.
Preliminary investigation results found the user may have accessed systems due to a security breach from a third-party vendor. The system said its notification was not delayed due to the result of a law enforcement investigation.
Affected information varied by individual, though the system noted it included health insurance information; medical information; biometric information; billing, claims or payment information; or other personal information, like Social Security numbers or precise geolocation data.
"Cybersecurity threats are one of the most significant risks currently affecting the health care system," Cassidy wrote in the letter, citing 628 reported breaches in 2025.
“At a time when hostile actors are increasingly using sophisticated tactics by leveraging artificial intelligence, it is essential for the health care sector to take meaningful steps to safeguard patient and consumer information,” Cassidy wrote. “The recent cybersecurity incident affecting NYC Health + Hospitals, the largest public health system in the United States, highlights the risk cybersecurity incidents pose to patients.”
Cassidy requests more information from NYC Health + Hospitals officials about what remedial steps the organization has taken or intends to take to improve its security protocols. He also pressed health system officials to outline any additional reporting the organization has committed to doing for individuals who have had their information disclosed, beyond the reporting requirements under HIPAA.
According to the U.S. Department of Health and Human Services' breach portal, there were 435 healthcare data breaches in 2025. These figures only account for breaches affecting 500 or more individuals, which hospitals are federally mandated to report to HHS.
There were many data breaches in 2025, much larger than the NYC Health & Hospitals' incident, including Conduent Business Services, a business associate, reporting a breach that impacted 62 million individuals.
Cassidy has stepped up scrutiny into major healthcare data breaches, leading investigations into several cybersecurity lapses, including those by OPEXUS and UnitedHealth Group.
In December, Cassidy and Senate colleagues Maggie Hassan (D-NH), John Cornyn (R-TX), and Mark Warner (D-VA) reintroduced the Health Care Cybersecurity and Resilience Act to protect Americans’ health data by strengthening cybersecurity. That bill advanced out of the Senate HELP committee in February.