Contents
Entity Profile
| Property | Value |
|---|---|
| Type | 501(c)(3) nonprofit hospital system |
| Legal Name | The New York and Presbyterian Hospital (EIN: 13-3957095) |
| Domain(s) | nyp.org (+ 15 alternate domains, 2,166+ subdomains) |
| Jurisdiction | New York, NY (Manhattan, Brooklyn, Queens, Westchester, Hudson Valley) |
| Hosting | Self-hosted (ARIN /16 block: 143.104.0.0/16) + Columbia University network; public site on Acquia/Drupal behind Cloudflare |
| Proofpoint gateway → Microsoft 365 backend | |
| Revenue | $10.7B (2024) |
| Employees | 36,103 |
| EHR | Epic |
| Bond Rating | Moody's Aa2 (stable) |
Budget Signals
NYP is a $10.7B revenue system with $21.9B in total assets and a 4.1% operating margin ($112.5M operating income in Q1 2025). The system received $60M in FEMA COVID reimbursement in H1 2025, which contributed to a $101M quarterly surplus.
Active Federal Funding Streams
- HRSA Ryan White HIV/AIDS: $2.7M
- SAMHSA mental health/substance abuse: $1.2M
- HRSA 340B drug pricing program participant (ID: 25027)
- Medicare Provider #330101 (likely billions in annual CMS revenue)
- Manhattan DA Criminal Justice Investment Initiative: $10.3M for Youth Opportunity Hub
Foundation arm: NewYork-Presbyterian Fund Inc distributes $138.5M annually from $3.7B in assets.
Capital commitments: $1.2B "Beacon" cancer center (completion 2028), Och Spine at The Spiral, Brooklyn Methodist MOB, women's health centers ($20M Fazzalari gift).
Signal: NYP spends aggressively on clinical facilities and has access to major capital markets (Aa2 bonds). However, they are simultaneously laying off 1,000+ workers and facing $1B+ in legal settlements. Technology investments may be constrained relative to infrastructure spending. The active DOJ antitrust suit could force pricing concessions that compress margins.
Technology Gaps
Strengths
- Enterprise-grade certificate management (DigiCert, no wildcards, proper rotation)
- Full security header suite on public site (HSTS, CSP, X-Frame-Options)
- Proofpoint email security with SPF/DKIM
- Self-hosted DNS with redundancy (Cornell secondaries)
- SonarQube code quality, Daggerboard SBOM tracking
Gaps & Opportunities
- 2,166+ subdomains with 374 dev/test environments visible in CT logs — certificate governance has not scaled to match infrastructure growth
- 7+ authentication portals indexed by search engines — InfoSec API, MDM portal, intranet login, PingFederate SSO
- Oracle WebCenter Sites (FatWire) CMS legacy identified in Wayback — internal systems may still run legacy CMS
- 16+ SaaS vendors verified in DNS TXT records — vendor sprawl creates supply chain complexity
- HIPAA pixel-tracking incident (2023) — Meta, Google, TikTok pixels ran on healthcare pages for 6 years without detection
- Medical device integration subdomains (Masimo, Sigma pumps, BrainLab, Midmark) visible in CT logs — IoMT systems are difficult to patch and monitor
Oahe relevance: Limited. NYP has a massive, mature IT organization. They are not a candidate for Oahe's data services in the traditional sense. However, the pixel-tracking blind spot suggests that data governance consulting (specifically: what data leaves the perimeter via web analytics and marketing tools) could be a niche entry point.
Decision Makers
| Name | Role | Source |
|---|---|---|
| Dr. Brian G. Donley | President & CEO (since Jan 2026) | NYP announcement |
| Dr. Deepa Kumaraiah | EVP & COO (since Jan 2026) | NYP announcement |
| Michael P. Breslin | Group SVP, CFO & Treasurer | Becker's |
| Mary Beth Claus | Group SVP, Chief Legal Officer | Craft.co |
| Devika Mathrani | Chief Marketing & Communications Officer | RocketReach |
| Dr. Rahul Sharma | Medical Board President | Weill Cornell |
| Adebayo O. Ogunlesi | Board Co-Chair (also GIP Chairman) | NYP Board page |
| Jerry Speyer | Board Co-Chair (also Tishman Speyer Chairman) | NYP Board page |
Key context: The Donley/Kumaraiah leadership team took office January 22, 2026 — less than 3 months ago. They inherited the DOJ antitrust suit, the Hadden settlement tail, and multiple insurer disputes. New leadership = potential openness to new vendors and fresh approaches.
Pain Points
1. Antitrust litigation pressure. The DOJ suit alleges NYP uses market power to force "all-or-nothing" contracts on insurers. If successful, this fundamentally threatens NYP's pricing model and revenue structure.
2. Insurer relationship deterioration. UnitedHealthcare dropped NYP from Medicare Advantage (Jan 2026). EmblemHealth dispute threatens 40,000 NYC civil servants. 32BJ SEIU ran a $6-figure media campaign accusing NYP of "sky high prices."
3. Compliance fatigue across subsidiaries. Enforcement actions at Brooklyn Methodist ($17.3M), Hudson Valley ($6.8M), Queens ($2.5M), and the flagship ($800K) span multiple subsidiary entities and compliance domains.
4. Data governance blind spots. The 2023 pixel-tracking settlement (54,396 patients' PHI exposed for 6 years) and the 2014 ePHI breach (6,800 patients) suggest privacy monitoring does not keep pace with technology adoption.
5. Infrastructure visibility. 2,166+ subdomains, 374 dev/test environments, and detailed technology stack all publicly visible via CT logs and DNS.
6. Workforce tensions. 1,000 layoffs (May 2025), 614 nurse staffing violations with ~$675K in arbitration awards, and active labor disputes with NYSNA.
Competitive Landscape
Peer institutions (NYC): Mount Sinai Health System, NYU Langone Health, Montefiore Medical Center, Northwell Health.
Federal contracting: NYP's primary federal revenue comes through CMS (Medicare/Medicaid), not competitive contracts. HRSA and SAMHSA grants are program-specific.
Technology vendors: Epic (EHR), Proofpoint (email), Palo Alto (network), Cisco (UC/contact center), Microsoft 365 (productivity), Salesforce (marketing), ADP (payroll), Imprivata (identity), Everbridge (emergency). Any Oahe engagement would need to operate in a niche not covered by these incumbents.
Insurance competitors aggressively pricing against NYP. The 32BJ and EmblemHealth disputes suggest insurers are using cost comparison data to justify excluding NYP from networks. This creates demand for data that demonstrates NYP's quality/value proposition.
Timing Opportunities
1. New CEO honeymoon period (now through 2026). Donley took office January 2026. New leadership teams typically audit vendor relationships in their first 6-12 months. Optimal window for cold outreach.
2. Post-DOJ response (2026). NYP will need to demonstrate competitive reasonableness and community benefit to counter the antitrust narrative. Data-driven community health analytics could support their defense.
3. The Beacon cancer center planning (2025-2028). A $1.2B construction project generates data and analytics needs around community health assessment, outcomes measurement, and market positioning.
4. Pixel-tracking remediation (ongoing). The 2023 AG settlement requires improved privacy practices. Website data governance consulting could be positioned as compliance follow-through.
5. 340B program defense. NYP actively lobbies on 340B drug pricing reforms. Data analytics supporting 340B community benefit claims could be valuable as the program faces Congressional scrutiny.
Recommended Approach
NewYork-Presbyterian is an aspirational target, not a near-term client for Oahe Data. The institution operates at a scale ($10.7B revenue, 36,000 employees, enterprise IT organization) that is orders of magnitude beyond Oahe's current service offerings. Direct data services engagement is unlikely.
However, there are two potential angles worth tracking:
1. Community health data for regulatory defense. NYP needs to demonstrate community benefit to counter antitrust allegations and justify its pricing premium. Oahe's FP-STAN data infrastructure could support community health needs assessments, social determinants analysis, and health equity reporting — particularly for NYP's Washington Heights/Inwood service area, which has significant health disparities. Entry point: NYP's Community Health Needs Assessment (CHNA) cycle or the PPS/DSRIP network.
2. Reference case / visibility. Even a small engagement with an institution of NYP's prestige creates significant credibility for Oahe. The pixel-tracking settlement creates a narrative hook ("the data you don't know is leaving your perimeter") that aligns with Oahe's data sovereignty positioning — though framed for healthcare compliance rather than tribal governance.
If pursuing, contact through the Community Health department (which manages the CHNA and PPS network) rather than IT or procurement. The community health team operates with more autonomy and smaller budgets than enterprise IT, making it a more accessible entry point.