A wave of major US healthcare data breaches has surfaced on the Department of Health and Human Services (HHS) breach tracker in recent days, collectively impacting millions of patients. The largest confirmed incident hit New York City Health and Hospitals Corporation, exposing data on 1.8 million individuals, with additional breaches at Erie Family Health Centers (570,000), Florida Physician Specialists (276,000), and others rounding out the disclosures.
What Happened
Several major US healthcare providers had their breach victim counts officially logged on the HHS breach portal in recent days, though the underlying incidents were disclosed months earlier. NYC Health and Hospitals Corporation detected an intrusion on February 2, 2026, after attackers maintained access to its environment from November 2025 through February 2026 by way of a compromised third-party vendor. Erie Family Health Centers in Chicago detected its own intrusion in January 2026, with attacker dwell time spanning December 10, 2025 to late January 2026. Florida Physician Specialists reported a two-day intrusion window in November 2025. Coastal Carolina Health Care and Western Orthopaedics each disclosed breaches affecting roughly 110,000 individuals, while Nacogdoches Memorial Hospital in Texas appears on the tracker with a 2.5 million figure that prior reporting suggests may be a data entry error (previously reported as 250,000). None of the incidents have been claimed by any known ransomware or extortion crew.
What Was Taken
The exposed data sets are deep and highly monetizable. Across the disclosed incidents, attackers accessed combinations of full names, phone numbers, email addresses, Social Security numbers, driver's license numbers, passport numbers, online account credentials, financial account data, health insurance details, medical records, and in the NYC Health and Hospitals case, biometric identifiers. The NYC incident alone exposes 1.8 million patient records, Erie covers 570,000, Florida Physician Specialists 276,000, and the smaller regional providers another 220,000 combined. The combination of government identifiers, financial data, and medical history makes these records prime feedstock for synthetic identity fraud, insurance scams, and targeted extortion.
Why It Matters
The cluster confirms what defenders have been tracking for two years: US healthcare remains the highest-yield, lowest-friction target for financially motivated intrusions. The NYC Health and Hospitals breach traces back to a third-party vendor, reinforcing that supply chain access continues to bypass mature internal controls at large public health systems. Dwell times of two to three months at NYC and Erie show attackers had unhurried access to sensitive environments before detection. The fact that none of these breaches have been claimed by named groups suggests either quiet data theft for resale, brokers operating outside the public leak ecosystem, or attackers still sitting on the data pending negotiation. Defenders should assume more victim counts on the HHS tracker will be revised upward in coming weeks.
The Attack Technique
Technical specifics remain limited across the disclosures, but the available indicators point to familiar tradecraft. NYC Health and Hospitals explicitly attributes its compromise to a third-party vendor, consistent with the broader pattern of healthcare attackers pivoting through business associates, billing platforms, and managed service providers rather than burning capability against hardened hospital perimeters. The multi-month dwell time at NYC and the six-week window at Erie are consistent with credential theft, VPN or remote access abuse, followed by lateral movement and staged exfiltration. The two-day intrusion at Florida Physician Specialists suggests a smash-and-grab pattern, possibly automated harvesting following an initial access broker handoff. The absence of public extortion claims means either pure data theft for criminal marketplaces or operators that deliberately stay off leak sites.
What Organizations Should Do
- Inventory and tier every third-party vendor with network or data access, and require time-bound, scoped credentials with MFA enforcement on all vendor accounts.
- Hunt for unusual access patterns across vendor and contractor identities spanning the November 2025 to February 2026 window, since the NYC and Erie dwell times suggest broader campaign activity.
- Deploy and tune detection for staged data exfiltration: large outbound transfers, archive creation in unusual directories, and abnormal access to PHI repositories outside business hours.
- Validate that EHR, billing, and biometric systems generate auditable access logs that are forwarded to a SIEM with retention sufficient to investigate months-long dwell scenarios.
- Run tabletop exercises specifically modeling a third-party vendor compromise, including HHS notification timelines, state attorney general reporting, and patient notification logistics.
- Review HHS breach tracker reporting workflows internally to ensure victim counts are accurate on first disclosure, since revisions invite regulatory and media scrutiny.
Sources: Millions Impacted Across Several US Healthcare Data Breaches