St. John’s Riverside Hospital Data Breach Affects 2,238

St. John’s Riverside Hospital, a leading community-based healthcare provider in Yonkers, New York, recently experienced a data breach that potentially exposed personally identifiable information (PII) and protected health information (PHI) of at least 2,238 individuals across the U.S.

According to a disclosure filed with the U.S. Department of Health and Human Services on Nov. 14, 2025, the breach originated from unauthorized access to a limited number of employee email accounts. The incident was discovered in September 2025, when the hospital detected suspicious activity involving the distribution of phishing emails and an attempt to reroute payment funds.

The compromised email accounts contained a range of sensitive information. For some individuals, the exposed data included personally identifiable information (PII) such as name, date of birth, Social Security number, driver’s license or state identification number and financial account number. For others, protected health information (PHI) was involved, including health insurance details, medical condition information, treatment provider name, medical record number, treatment cost information and diagnosis or treatment information.

The official notice to consumers is also available online.

St. John’s Riverside Hospital's response

Upon discovering the breach, St. John’s Riverside Hospital immediately took steps to secure its systems. The hospital changed passwords, revoked session tokens, reset multifactor authentication and engaged data security and privacy professionals to investigate the incident. The unauthorized activity was contained and remediated, and the hospital conducted a thorough analysis to identify affected individuals.

If you believe your personal information may have been compromised in this breach:

• Carefully review any notice or communication you receive from St. John’s Riverside Hospital.
• Monitor financial accounts and credit reports for signs of identity theft.
• Consider placing fraud alerts or credit freezes with the major credit bureaus.
• Be cautious of unsolicited emails or phone calls requesting personal information.