The Business Council of New York State Data Breach Investigation

Recently, BCNYS discovered that it had experienced a data breach in which the sensitive personal identifiable information and protected health information in its systems may have been accessed.¹ According to the breach notice, BCNYS recently learned that an unauthorized party gained access to a limited number of internal systems from approximately February 24 to February 25, 2025.¹ As a result, BCNYS launched an investigation to determine the nature of the incident.

Through its investigation, BCNYS discovered on or about August 4, 2025, that the files or folders accessed or acquired by the unauthorized party certain personal information.¹ As a result, BCNYS began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. While the information impacted varies depending on the individual, the type of information potentially exposed includes:

• Name
• Social Security number
• Date of birth
• State identification number
• Financial account information (e.g., financial institution names, financial account and routing number information, payment card numbers, payment card access PINs, payment card expiration dates, taxpayer identification numbers, and electronic signature information)
• Health insurance information
• Medical record information (e.g., medical provider name, medical diagnosis or condition information, prescription information, and medical treatment or procedure information)

As a result, BCNYS posted notice of the incident on its website. Based on the breach notice, BCNYS is providing affected individuals with a list of the specific types of sensitive information impacted. A link to the form breach notification that BCNYS posted to its website is below.