Data breach on care management company impacts 5K patients at NYC Health
A care management partner of NYC Health + Hospitals has experienced a “data security incident” confirmed to be a breach by an unauthorized third party that exposed records on patients.
In a statement, NYC Health said the National Association on Drug Abuse Programs (NADAP), which provides care coordination services for individuals struggling with past or present substance abuse and dependence was the victim of a cyberattack in November 2025, which exposed records on 5,086 patients.
Those patients were confirmed to be receiving care through NYC Health + Hospitals’ Lead Health Home, which supports Medicaid enrollees. It also facilitates direct assessments of the unique substance abuse issues faced by patients, presenting them with options for treatment.
In support of the goal of mitigating addiction, NADAP also offers education programs, including workforce training and social services navigation.
NYC Health said the care management group identified the intrusion on January 10, 2026, at which time it took impacted systems offline.
The health system released a data breach notice for its impacted patients on March 11. Stolen data does include protected health and private information, including names, Social Security numbers, dates of birth, details on health treatment plans, diagnoses, medications and Medicaid ID numbers.
According to the law firm Shamis & Gentile P.A., which posted a claims notice for a pending class action lawsuit related to the incident, financial details may also have been exposed—including tax information.
NYC Health said it has notified the Office for Civil Rights (OCR) about the exposure of its patients.
Its report is not yet available on the federal government’s healthcare data breach tracker but should appear there once it’s processed.
Total number of victims unknown
The individual entities—hospitals, health systems, clinics and health plans—who contract with NADAP nationwide may ultimately be the ones responsible for notifying their patients. As for a total count of all victims, a notice posted by NADAP currently does not provide a number.
The organization did say that, as of Feb. 13, an investigation is still ongoing. Notably, despite its name, NADAP’s website claims it only serves New Yorkers—some 35,000 of them.
It said it alerted state regulators and authorities about the incident. The exact nature and scope of the data breach was not revealed. It’s unclear how hackers gained access or whether or not malware or ransomware was deployed.
It only confirmed that, with the help of cybersecurity experts, it was able to ascertain that an unauthorized third party gained access to its files.
Information stolen by cybercriminals will vary by individual, NADAP confirmed.
HealthExec has reached out to the care management nonprofit for more details.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.