New York City Health + Hospitals — the largest public health system in the US, serving approximately 1.4 million patients annually — notified patients of data exposure from two separate third-party vendor hacks. Attackers had access to the vendors’ systems for nearly a year before detection. NYC H+H provides care to New York City’s most vulnerable populations including uninsured and underinsured patients. The dual vendor breaches illustrate the systemic supply chain risk at large public health systems that rely on numerous third-party vendors for specialized services. HHS OCR was notified. The nearly year-long dwell times suggest sophisticated threat actors who specifically target healthcare vendor access for long-term data collection rather than immediate ransomware deployment.