TL;DR
NYC Health and Hospitals disclosed that hackers stole medical records, personal data, and biometric information including fingerprints from at least 1.8 million people. The breach, which lasted from November 2025 to February 2026, originated through a compromised third-party vendor.
New York City Health and Hospitals, the largest public healthcare system in the United States, has disclosed that hackers stole personal data, medical records, and biometric information, including fingerprints, in a breach affecting at least 1.8 million people. The organisation reported the figure to the US Department of Health and Human Services, making the incident one of the largest healthcare data breaches of 2026.
NYCHHC said it detected the cyberattack on 2 February 2026 and secured its network. The hackers had been inside the system since approximately 25 November 2025, giving them more than two months of access before detection. During that period, they copied files containing an extraordinary range of sensitive information: health insurance details, medical records including diagnoses and medications, billing and payment data, Social Security numbers, passport and driver’s licence numbers, and biometric data including fingerprints and palm prints.
The biometric problem
The theft of fingerprints and palm prints is what distinguishes this breach from the steady drumbeat of healthcare data incidents that have become routine in American medicine. A stolen Social Security number can be replaced. A compromised password can be changed. A fingerprint cannot. Once biometric data is in the hands of attackers, the individuals affected carry that vulnerability for life, with no mechanism for revocation or reissuance.
NYCHHC did not explain why it was storing biometric data. The most likely explanation is employee onboarding: prospective staff are generally required to submit fingerprints for criminal background checks. Whether patients’ biometric data was also compromised has not been confirmed. The risks of biometric data collection have been documented extensively, from military contexts where compromised databases endangered individuals to commercial settings where the permanence of biometric identifiers creates long-term exposure that no credit monitoring service can remediate.
The breach notice also disclosed that “precise geolocation data” was taken, suggesting that user-uploaded photographs of identity documents may have contained embedded location metadata showing exactly where and when the documents were captured.
A third-party vendor breach
NYCHHC said the hackers gained access through a breach at a third-party vendor, which it declined to name. The pattern is familiar and increasingly dominant in healthcare cybersecurity: attackers compromise a supplier or service provider rather than attacking the target organisation directly, exploiting the trust relationships and network access that vendors are granted in the course of normal operations.
The largest education data breach in history followed the same pattern, with attackers compromising a learning management system vendor to reach millions of students at thousands of institutions. In healthcare, where systems are interconnected across billing platforms, electronic health records, and insurance networks, the vendor attack surface is vast and poorly mapped. The Change Healthcare ransomware attack in 2024, which exposed the medical and billing information of more than 190 million Americans, was the most devastating example, but the NYCHHC breach demonstrates that the problem extends to public health systems that serve the most vulnerable populations.
Who is affected
NYCHHC provides care to more than one million New Yorkers each year, the majority of whom are uninsured or receive state healthcare benefits such as Medicaid. The 1.8 million figure reported to HHS likely includes current and former patients, employees, and individuals whose data was stored in the compromised systems. The organisation operates 11 acute care hospitals, five skilled nursing facilities, and more than 70 community-based clinics across the city’s five boroughs.
The population served by NYCHHC is disproportionately low-income, immigrant, and medically underserved, groups that face higher barriers to responding to identity theft and fraud. Unlike patients of private health systems who may have access to identity protection services through their employers, many NYCHHC patients will depend on whatever credit monitoring and support the organisation offers in the aftermath, a standard that healthcare organisations have not consistently met even when patient data was leaked through their own website trackers.
The healthcare cybersecurity crisis
The breach arrives against a backdrop of relentless attacks on American healthcare infrastructure. The FBI’s 2025 annual cybercrime report found that healthcare remained a top target for ransomware operators, financially motivated criminals who steal data while encrypting the victim’s systems and then demand payment to prevent publication. Stolen medical data is particularly valuable on criminal markets because it can be used for insurance fraud, identity theft, prescription fraud, and targeted phishing campaigns that impersonate healthcare providers.
Healthcare breaches are also the most expensive to contain. Industry data shows that the average cost of a healthcare data breach reached $7.42 million in 2025, the highest of any sector, with an average of 279 days to detect and contain an incident. NYCHHC’s timeline, with hackers inside the network for approximately 70 days before detection, falls within that range but is no less alarming for it. The growing adoption of AI-powered cybersecurity tools was supposed to shorten detection windows, but the NYCHHC breach suggests that public health systems, which typically operate with tighter budgets and older infrastructure than their private counterparts, have not yet benefited from those advances.
NYCHHC’s website was briefly offline on Monday morning. A spokesperson did not respond to questions about why it took months to detect the breach, whether the organisation received a ransom demand, or what remediation is being offered to affected individuals. The incident is reported to be unrelated to an earlier, smaller breach at the National Association on Drug Abuse Problems that affected over 5,000 NYCHHC patients earlier this year. For the 1.8 million people whose data, including their irreplaceable biometric identifiers, is now in the hands of unknown attackers, the questions that matter most have no answers yet.
