A care management partner of NYC Health + Hospitals has reported a significant data security incident involving unauthorized access to sensitive patient information, highlighting ongoing cybersecurity challenges in healthcare systems. The breach, confirmed to be a cyberattack, impacted the National Association on Drug Abuse Programs (NADAP), exposing records of 5,086 patients receiving care through NYC Health + Hospitals’ Lead Health Home program.
The affected program supports Medicaid enrollees and focuses on care coordination for individuals dealing with substance abuse and dependency. NADAP plays a critical role in delivering patient-centered healthcare services, including treatment planning, education programs, workforce training, and social services navigation aimed at improving long-term patient outcomes.
According to NYC Health + Hospitals, the cyberattack occurred in November 2025 but was identified on January 10, 2026. Upon detection, NADAP immediately took impacted systems offline to contain the incident and began working with cybersecurity experts to investigate the breach. A formal data breach notification was issued to affected patients on March 11, outlining the scope of the compromised information.
The exposed data includes highly sensitive protected health information (PHI) and personally identifiable information (PII), such as patient names, Social Security numbers, dates of birth, Medicaid identification numbers, treatment plans, diagnoses, and medication details. Reports also indicate that financial data, including tax-related information, may have been compromised, raising concerns about potential identity theft and fraud risks for affected patients.
This incident underscores the growing importance of cybersecurity in healthcare, particularly as organizations increasingly rely on digital health systems and data-driven care coordination models. The integration of AI in healthcare and advanced analytics has improved patient care delivery, but it has also expanded the attack surface for cybercriminals targeting healthcare networks.
NYC Health + Hospitals confirmed that the breach has been reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which oversees compliance with HIPAA regulations. While the breach has not yet appeared on the federal healthcare data breach tracker, it is expected to be listed once processing is complete.
At this stage, the total number of affected individuals across all organizations working with NADAP remains unclear. Although NADAP primarily serves approximately 35,000 individuals in New York, the organization works with multiple healthcare entities, meaning additional patients could potentially be impacted. Each partnering healthcare provider may be responsible for issuing notifications to their respective patients.
NADAP has stated that its investigation is ongoing, with cybersecurity specialists assisting in determining the full scope and cause of the breach. The organization confirmed that an unauthorized third party accessed its systems, but details regarding the method of intrusion – such as phishing, malware, or ransomware – have not yet been disclosed.
As healthcare organizations continue to modernize their infrastructure and adopt digital-first patient care models, incidents like this highlight the urgent need for stronger data protection strategies, proactive threat detection, and continuous monitoring systems. Strengthening cybersecurity frameworks remains critical to safeguarding patient data, maintaining trust, and ensuring compliance in an increasingly complex healthcare ecosystem.
Recommended Cyber News :
- Zero-Knowledge Biometrics Isn’t a Feature—It’s the Future of Digital Trust
- Ransomware Protection Tools for 2025: Insights into the Latest Innovations
- Adidas Cyberattack: A Detailed Analysis of the 2025 Data Breach Incident
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
