A breach at NYC Health and Hospitals has compromised medical records, fingerprints, and geolocation data for 1.8 million individuals.

      TL;DR: NYC Health and Hospitals reported that hackers stole medical records, personal information, and biometric data, including fingerprints, from at least 1.8 million individuals. The breach, which lasted from November 2025 to February 2026, was traced back to a compromised third-party vendor.

      New York City Health and Hospitals, the largest public healthcare provider in the US, announced that hackers accessed personal data, medical records, and biometric details like fingerprints in a breach affecting over 1.8 million people. The organization informed the US Department of Health and Human Services, making it one of the largest healthcare data breaches of 2026.

      NYCHHC detected the cyberattack on February 2, 2026, and secured its network. However, the hackers had been infiltrating the system since around November 25, 2025, which allowed them over two months of unrestricted access prior to detection. During this time, they copied files with a wide range of sensitive information, including health insurance details, medical records with diagnoses and medications, billing and payment info, Social Security numbers, passport and driver's license numbers, and biometric data like fingerprints and palm prints.

      The biometric issue

      The theft of fingerprints and palm prints sets this breach apart from the more frequent healthcare data incidents in the US. While a stolen Social Security number can be replaced and a compromised password can be changed, a fingerprint cannot be altered. When biometric data falls into the wrong hands, the affected individuals remain vulnerable for life, with no way to revoke or reissue that data.

      NYCHHC did not clarify the reason for storing biometric information. The most plausible explanation is that it's part of the employee onboarding process, as potential staff usually need to submit fingerprints for background checks. It remains unconfirmed if patients' biometric data was also compromised. The dangers associated with biometric data collection have been widely documented, ranging from military situations where compromised databases put individuals at risk to commercial scenarios where the permanence of biometric identifiers leads to long-term vulnerabilities that no credit monitoring service can fix.

      The breach notice also revealed that "precise geolocation data" was taken, indicating that user-uploaded identity document photos may have contained location metadata showing where and when the documents were captured.

      A third-party vendor breach

      NYCHHC stated that hackers accessed the system via a breach at an unnamed third-party vendor. This pattern is becoming increasingly common in healthcare cybersecurity: attackers target suppliers or service providers instead of the main organization, exploiting the trust and network access that vendors typically have during regular operations.

      The largest educational data breach in history followed a similar route, where attackers compromised a learning management system vendor to reach millions of students across numerous institutions. In healthcare, where systems are interconnected through billing platforms, electronic health records, and insurance networks, the attack surface related to vendors is extensive and poorly understood. The Change Healthcare ransomware attack in 2024, which compromised the medical and billing information of over 190 million Americans, was a significant example, but the NYCHHC incident highlights that the issue also impacts public health systems serving vulnerable populations.

      Who is affected

      NYCHHC provides services to over one million New Yorkers annually, predominantly uninsured individuals or those receiving state healthcare benefits like Medicaid. The reported figure of 1.8 million likely includes current and former patients, employees, and individuals whose data was stored within the compromised systems. The organization operates 11 acute care hospitals, five skilled nursing facilities, and more than 70 community clinics throughout the city’s five boroughs.

      The demographic served by NYCHHC is largely low-income, immigrant, and medically underserved, populations that encounter greater challenges in addressing identity theft and fraud. Unlike patients of private health systems who might have access to identity protection services through employers, many NYCHHC patients will rely on whatever credit monitoring and support the organization provides in response, a standard that healthcare organizations have not consistently met, even with data breaches occurring through their own website trackers.

      The healthcare cybersecurity crisis

      This breach occurs amidst a wave of ongoing attacks on American healthcare infrastructures. The FBI’s 2025 annual cybercrime report indicated that healthcare remains a primary target for ransomware operators, who steal data while encrypting victims' systems, subsequently demanding payment to prevent exposure. Stolen medical data is highly valuable in criminal markets due to its potential use in insurance fraud, identity theft, prescription fraud, and targeted phishing campaigns impersonating healthcare providers.

      Healthcare breaches are also the most costly to manage. Industry statistics indicate that the average cost of a healthcare data breach reached $7.42 million in 2025, the highest of any sector, with an average of 279 days needed to detect and resolve an incident. NYCHHC’s timeline, with hackers within the network for around 70 days before detection, aligns with this trend but is equally concerning. The increasing use of AI-driven cybersecurity tools was expected to shorten detection times; however, the NYCHHC breach indicates that public health systems, often operating on tighter budgets and utilizing older infrastructure