New York-Presbyterian Hospital posted a notice on their website on November 11. The incident has not yet shown up on HHS’s public breach tool, but undoubtedly will. Here is the description of the incident, as provided by the hospital:
On September 8, 2022, NewYork-Presbyterian Hospital’s data security monitors received an alert of suspicious activity on one of its servers, including possible attempts to download information by an unauthorized user. These attempts were successfully blocked and NYP’s Information Security Department began reviewing the matter.
As a result of its review, NYP later learned that an unauthorized third-party had used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices. The threat actor did not access NYP’s patient portal but one of the compromised laptops contained protected health information of certain patients of NewYork-Presbyterian/Queens and NewYork-Presbyterian/ Hudson Valley.
Approximately twelve thousand (12,000) patients were affected. Information pertaining to those patients include first and last names, addresses, insurance authorizations, medical records numbers and exam results.
The hospital’s response to the incident can be found in their website notice.
https://www.nyp.org/notification-of-cybersecurity-incident