NYC Health + Hospitals Data Breach Exposes Sensitive Biometrics of 1.8 Million Individuals
Published
Key Takeaways
- Massive data breach: Hackers compromised the records of at least 1.8 million individuals.
- Extended unauthorized access: Attackers accessed the network from November 2025 to February 2026.
- Sensitive biometrics stolen: The compromised files included fingerprints, palm prints, and geolocation data.
NYC Health + Hospitals (NYCHHC) has disclosed a severe data breach that affected at least 1.8 million people. The healthcare system tied the intrusion to a breach at a third-party vendor, which it did not name.
As the largest public health system in the United States, NYCHHC has officially reported the incident to the U.S. Department of Health and Human Services.
Exposure of Medical and Biometric Information
NYCHHC detected the cyberattack on February 2, 2026. Security teams determined that hackers maintained access to the network from November 2025 until February 2026. During this months-long window, the attackers successfully copied files from the network.
The exposed data varied by individual but included highly sensitive records. Hackers stole:
- Health insurance plan and policy information,
- Private medical information, such as:
- patient diagnoses,
- medications,
- tests,
- imagery,
- Financial details, including
- billing,
- claims,
- payment information.
- Government-issued identity documents, including
- Social Security numbers,
- passports,
- driver’s licenses.
The breach notification confirmed that the stolen files contained precise geolocation data. Most notably, the hackers stole permanent biometric data, specifically fingerprints and palm prints. NYCHHC did not provide an explanation for storing biometric data, according to TechCrunch.
NYCHHC Cybersecurity Measures
NYC Health + Hospitals stated it immediately launched an investigation with the support of an unnamed leading cybersecurity firm and a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization.
While the investigation is ongoing, affected individuals should remain vigilant.
Last month, a Hims & Hers data breach exposed patient data via a compromise at a third-party customer support provider.
In March, a cyberattack targeting U.S. medical giant Stryker wiped employee devices, with CISA urging organizations to harden endpoint management systems, a Bell Ambulance breach exposed almost 240,000 patients’ data, and a CareCloud data breach was confirmed.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular