TL;DR: Per TechCrunch's reporting and Inc., attackers spent nearly three months (November 2025 - February 2026) inside the NYC Health + Hospitals network before detection, stealing medical records, personal data, and fingerprint scans for at least 1.8 million people. On June 4, 2026, Senate HELP Committee Chair Bill Cassidy sent CEO Mitchell Katz a formal inquiry demanding answers by June 18. The dwell-time story matters for NC SMBs because the same detection-failure pattern - logs not reviewed, EDR not deployed, lateral movement not alerted - is the default state of most small medical practices, distributors, and manufacturers across the Piedmont Triad in 2026.
Key takeaway: A three-month attacker dwell time is not a "large-organization" problem. It is the default outcome whenever logs are stored but not reviewed and endpoints are not monitored 24/7. NC SMBs running M365 without managed EDR and without a SOC reviewing alerts are statistically pre-committed to the same multi-month dwell time the next time a credential is phished. The dwell time is what turns a phished password into a 1.8M-record breach.
Need 24/7 detection and a tested incident runbook before the next NC SMB dwell-time event? Preferred Data Corporation runs managed cybersecurity and 24/7 monitoring for NC small businesses since 1987. Call (336) 886-3282 or request a detection posture review.
What happened at NYC Health + Hospitals?
Attackers maintained undetected access to NYC Health + Hospitals - the largest US public hospital system - from November 2025 to February 2026, approximately three months. Per TechCrunch's May 18, 2026 reporting and the HIPAA Journal coverage, the stolen data set included:
- Medical records for at least 1.8 million patients, including diagnoses and treatment notes.
- Personal data including names, dates of birth, addresses, and contact information.
- Fingerprint biometric scans - a particularly hard-to-replace category of stolen identity data.
On June 4, 2026, Senate Health, Education, Labor, and Pensions Committee Chair Bill Cassidy sent a formal letter to NYC Health + Hospitals CEO Mitchell Katz demanding answers by June 18 on:
- The cyber and physical security protocols in place before the intrusion.
- The exact timeline of intrusion detection, federal notification, and remediation.
- How cybersecurity best practices from critical-infrastructure sectors were (or were not) incorporated into NYC Health + Hospitals' policies.
Per Inc.'s coverage, the three-month dwell time is what shifted this from a routine breach disclosure to a Senate-level inquiry.
Why does the dwell time matter more than the breach itself?
Because the dwell time is what an EDR-monitored stack with a 24/7 SOC actually fixes. A breach is the act of initial access; the dwell time is everything that happens between that access and the moment defenders notice. Per Verizon's 2026 DBIR and Mandiant's M-Trends 2026, dwell time for SMBs without managed detection runs:
| Defense Posture | Median Dwell Time | Outcome |
|---|---|---|
| No EDR, no SOC, logs not reviewed | 90 - 180 days | NYC Health + Hospitals pattern - mass exfiltration before detection |
| EDR deployed, no SOC monitoring | 30 - 60 days | Alerts fire but go unread; limited exfiltration |
| Managed EDR + 24/7 SOC | 1 - 7 days | Initial access contained before lateral movement |
| Managed EDR + 24/7 SOC + identity-hardened | Hours | Attacker contained at first credential abuse |
The arithmetic is unambiguous: every additional week of dwell time approximately doubles the eventual breach scope. A 1-week dwell time stops at a few mailboxes; a 12-week dwell time reaches every backup, every database, and every connected SaaS tenant.
How does this apply to an NC small medical practice or 50-person SMB?
The same dwell-time math applies. An NC small medical practice, an NC distributor, and an NC professional services firm all share the same default detection failure: logs are kept somewhere, but no one is paid to read them at 2 a.m. Three concrete patterns NC SMBs should expect to find when they audit:
- M365 / Entra ID sign-in logs are retained, not monitored. Anomalous sign-ins (foreign IP, impossible-travel, OAuth grant to unfamiliar app) generate alerts that nobody reads outside business hours. Per Verizon 2026 DBIR, stolen credentials remain a top initial access vector for SMBs.
- Endpoint Defender alerts are emailed to the IT admin. Without 24/7 SOC triage, alerts pile up; by Monday morning, the response window has closed. Per Microsoft's Defender for Business documentation, Defender for Business standalone is a tool, not a service - the SOC monitoring layer is separate.
- Backups are job-scheduled, not job-verified. A ransomware crew that lands during week one of the dwell time has eleven more weeks to map and disable backups before encrypting production. Per the Veeam 2026 ransomware trends, backup compromise is now the prerequisite to ransom payment leverage.
Quotable definition: Dwell time is the time interval between initial compromise and defender detection. In 2026, the NC SMB dwell time without managed detection averages 90 - 180 days; with a 24/7 SOC, it drops to under 7 days. The difference is not a security philosophy; it is whether anyone is paid to read alerts on a Sunday night.
What is the NC SMB detection posture that compresses dwell time below 7 days?
A six-layer detection posture, per NIST SP 800-61 incident response guidance and CISA's Cybersecurity Performance Goals 2.0:
- Managed EDR on every endpoint, 24/7 SOC triage. Microsoft Defender for Business plus a partnered SOC, or SentinelOne / CrowdStrike Falcon Go with managed SOC. The non-negotiable: human triage of high-severity alerts in under 30 minutes any hour of any day.
- M365 / Entra ID identity monitoring. Conditional access policies, impossible-travel detection, OAuth grant review, dormant-account purge. Per Microsoft Entra ID best practices, the identity layer is where dwell time begins.
- Centralized logging with retention. SIEM or managed log review for M365, Entra ID, EDR, firewall, and VPN concentrators. The logs do not need to be elaborate; they need to be reviewed.
- Backup integrity monitoring. Immutable backup tier (Veeam Hardened Repository, object-lock cloud, offline tape) with monitoring that alerts on deletion attempts. Per Veeam KB4696, backup-server attacks are the prerequisite to high-leverage ransomware.
- Quarterly tabletop exercise. A tested incident runbook signed by named contacts, with documented RTO / RPO, communication tree, and legal counsel notification. Per CISA's Tabletop Exercise Packages, this is the artifact insurers and regulators ask for first.
- Annual penetration test or breach simulation. External validation that the EDR / SOC / identity stack actually catches a representative kill chain.
What should an NC SMB do in the next 60 days?
A four-step plan to bring NC SMB dwell time from "indefinite" to under one week:
- Audit M365 / Entra ID sign-in history (week 1). Pull the last 90 days of risky sign-ins, OAuth grants, and impossible-travel alerts. If alerts exist that no one investigated, treat the audit as the start of an active incident.
- Deploy managed EDR with 24/7 SOC (weeks 2 - 4). Microsoft Defender for Business + partnered SOC for the entry tier, or upgrade to SentinelOne / CrowdStrike with managed SOC for environments with regulated data (HIPAA, CMMC, PCI).
- Test backup recovery against a ransomware scenario (weeks 4 - 6). Restore a representative VM and a database to a clean tier, validate RTO, and document the result. If recovery fails, the backup tier is decorative.
- Sign the incident runbook (weeks 6 - 8). Named contacts, 24/7 phone numbers, breach counsel, cyber-insurance broker, communication tree. Test it with a tabletop.
Key takeaway: The NYC Health + Hospitals incident is a reminder that dwell time, not initial access, is what determines breach scope. NC SMBs that compress dwell time to under 7 days survive the next phishing event with limited exposure; NC SMBs at 90+ days of dwell time face a 1.8M-record scope event the size of their actual database.
How does Preferred Data Corporation help NC SMBs cut dwell time?
PDC has run managed IT and cybersecurity for NC small businesses since 1987 with 20+ year average client retention. We bring three things to the dwell-time problem:
- Managed cybersecurity services: Managed Microsoft Defender for Business, 24/7 SOC partnership, identity hardening across M365 and Entra ID, OAuth grant review, and KEV-rate patching.
- Managed IT services: Centralized log review, M365 / Entra ID monitoring, RMM-driven patching, dormant-account purge, and quarterly business reviews tied to the underwriter's checklist.
- Backup and recovery: Veeam Hardened Repository design, immutable cloud tier, quarterly recovery drills, and documented backup-deletion alerting.
For NC small medical practices, NC manufacturers, NC distributors, and NC professional services firms across the Piedmont Triad and beyond, the NYC Health + Hospitals pattern is a free preview of what an undetected breach looks like at NC SMB scale. The work this quarter decides whether your dwell time is 7 days or 90 days the next time a credential is phished.
Need a 24/7 detection stack documented in 60 days? Call (336) 886-3282 or book a detection posture review.
Frequently Asked Questions
What happened at NYC Health + Hospitals?
Attackers maintained undetected access from November 2025 to February 2026 - approximately three months - and exfiltrated medical records, personal data, and fingerprint scans for at least 1.8 million people. Per TechCrunch, the breach is one of the largest healthcare incidents of 2026.
Why did Senator Cassidy send a letter on June 4, 2026?
To demand a detailed account of the cybersecurity controls in place, the timeline of intrusion detection and federal notification, and the remediation steps. Per the June 4, 2026 letter, responses were due to the Senate HELP Committee by June 18, 2026. The Senate-level inquiry reflects the scope of the breach (1.8M individuals) and the significance of the three-month dwell time.
What is attacker dwell time and why does it matter?
Dwell time is the interval between an attacker's initial access and the moment defenders detect them. Per Mandiant M-Trends 2026 and Verizon 2026 DBIR, SMBs without managed detection average 90 - 180 days of dwell time; SMBs with 24/7 SOC monitoring see dwell time under 7 days. The dwell time is what determines how much data is exfiltrated, how many systems are compromised, and how leveraged a ransomware event becomes.
Is the NYC Health + Hospitals pattern relevant to a 30-person NC clinic?
Yes. The same detection failure - logs retained but not reviewed - is the default state of most NC small medical practices, distributors, and professional services firms. The scale of the data set is different; the dwell-time mechanism is identical. A 30-person NC clinic running M365 without managed EDR and without 24/7 SOC triage is exposed to the same multi-month dwell time the next time a credential is phished.
How fast can an NC SMB cut its dwell time below 7 days?
60 days for the core stack. A typical NC SMB can deploy managed EDR with 24/7 SOC monitoring in 2 - 4 weeks, audit M365 / Entra ID identity in 1 - 2 weeks, test backup recovery in 2 weeks, and sign the incident runbook within 8 weeks. Total monthly managed-cybersecurity cost typically runs $4,000 - $12,000 - a fraction of the $254K median 2026 SMB breach cost.
Does HIPAA require this level of detection for an NC small medical practice?
Yes, in spirit. The HIPAA Security Rule's audit and integrity controls require the covered entity to "implement procedures to regularly review records of information system activity," which a small medical practice without managed log review cannot honestly attest to. Per OCR enforcement guidance, 2026 enforcement actions have increasingly cited inadequate detection as a contributing factor in breach settlements.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24/7 SOC, EDR, identity hardening
- Managed IT Services for NC Businesses - Log review, M365 monitoring, runbooks
- Backup and Recovery Services - Immutable repositories and deletion alerting
- Healthcare Industry IT Solutions - HIPAA-aligned managed services for NC clinics
- NC SMB Cyber Math 2026: 49% Hit, $254K Loss - Companion SMB threat data
- Contact Preferred Data Corporation - 24/7 detection posture review