Industry - Data Breach
Executive Summary
NYC Health + Hospitals, the largest public health system in the United States, disclosed a data breach affecting at least 1.8 million people after hackers accessed its network for three months through a compromised third-party vendor. The stolen data includes medical records, health insurance information, Social Security numbers, driver's licenses, and irreplaceable biometric data such as fingerprints and palm prints. The breach primarily impacts uninsured New Yorkers and Medicaid recipients ...
What Happened
NYC Health + Hospitals, the largest public health system in the United States, experienced a cyberattack that ran from November 2025 through February 2026, affecting at least 1.8 million individuals. Hackers gained access through a compromised third-party vendor and copied files containing medical records, health insurance information, Social Security numbers, driver's licenses, passports, precise geolocation data, and biometric information including fingerprints and palm prints. The healthcare system detected the breach on February 2, 2026, and reported it to the U.S. Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year.
Who Is Affected
The breach primarily impacts over a million New Yorkers who use NYCHHC services, the majority of whom are uninsured or receive Medicaid benefits. The stolen data varies by individual but includes patients' medical histories, diagnoses, medications, test results, billing information, and government-issued identity documents. Biometric data such as fingerprints and palm prints were also compromised, though it is unclear whether these belong to employees (who are required to enroll fingerprints for criminal records checks), patients, or both.
Why It Matters
This breach is particularly severe because it exposed irreplaceable biometric data that affected individuals cannot change throughout their lifetimes, creating permanent risks of identity fraud and impersonation. The three-month window during which hackers had undetected access to the network, combined with the theft of precise geolocation data and comprehensive medical records, creates substantial long-term vulnerabilities for victims facing targeted phishing, medical identity theft, and financial fraud. The incident underscores ongoing systemic vulnerabilities in healthcare organizations and their third-party vendor relationships, with healthcare remaining a top target for financially motivated cybercriminals.
What You Should Do
If you receive notification from NYC Health + Hospitals, immediately enroll in any free credit monitoring services offered and place a fraud alert or credit freeze with the major credit bureaus (Equifax, Experian, and TransUnion). Monitor your medical records, insurance statements, and financial accounts closely for unauthorized activity or fraudulent claims filed in your name. Be extremely vigilant about phishing attempts via email, phone, or text that may use your stolen personal or medical information to appear legitimate, and never provide additional personal information in response to unsolicited contacts.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources
- NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people - TechCrunch
- NYC Health + Hospitals Data Breach Affects 1.8M People - Claim Depot
- NYC Health + Hospitals data breach sees personal data of around 1.8 million people stolen - TechRadar
- Data breach on New York public health system claims 1.8M victims, leaking biometric data to hackers - HealthExec