my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Healthcare Had a Bad Week. A Really, Really Bad Week.

John Z Black Mar 29, 2026 Incidents & Breaches #healthcare #data-breach #nyc #france #cerballiance #coastal-carolina #hipaa #third-party-risk #patient-data

NYC Health + Hospitals is the largest public hospital network in the United States. It serves uninsured New Yorkers, low-income families, patients in addiction treatment. People without easy alternatives. And sometime around November 25, 2025, an unauthorized party got into their data and stayed there for nearly eleven weeks.

The breach wasn’t detected until January 10, 2026. By the time anyone noticed, the window of exposure had stretched from late November to February 11. Over one million patients affected. The intrusion traced back to NADAP, a third-party vendor handling care coordination and addiction services. Think about what that data contains for this patient population. Not just names. Medical records tied to addiction treatment, mental health services, conditions that carry real stigma. Litigation is already coming.

The same week, France’s Cerballiance (one of France’s largest medical laboratory chains) notified patients that an attacker had accessed a third-party IT provider’s server. The stolen data included lab reports and French Social Security numbers. Lab reports. HIV diagnoses. Cancer results. Genetic conditions. Information patients may not have told their own families about. You can cancel a credit card. You can’t un-expose an HIV result. This was also the second major French healthcare breach in a month, both through third-party systems.

Then Coastal Carolina Health Care. A third-party vendor confirmed a breach on February 26. Names and Social Security numbers exposed. The attacker had access for a full week. A class action is already moving. HIPAA Journal noted it was one of six simultaneous healthcare breach disclosures that week. Six. At the same time.

Three breaches. Three different countries. Same attack vector: a third-party vendor with patient data access, inadequate security, and a window long enough to do serious damage. This isn’t bad luck. It’s a structural failure the industry keeps identifying and not fixing. Healthcare runs on vendor ecosystems and treats those relationships as separate from its own security perimeter. They’re not. A vendor with access to patient records is a point of entry into the patient records.

The patients didn’t choose their hospital’s vendor relationships. They just needed care.

Read the full breakdown of all three breaches at gNerdSEC