A data breach at NYC Health and Hospitals has compromised medical records, fingerprints, and geolocation information of 1.8 million individuals.

      TL;DR: NYC Health and Hospitals reported a hack that compromised medical records, personal data, and biometric information, including fingerprints, of at least 1.8 million individuals. The breach, which occurred from November 2025 to February 2026, stemmed from a breach of a third-party vendor.

      New York City Health and Hospitals, the largest public healthcare system in the United States, has revealed that hackers accessed personal data, medical records, and biometric data, including fingerprints, affecting at least 1.8 million people. The organization notified the US Department of Health and Human Services, marking this as one of the largest healthcare data breaches in 2026.

      On February 2, 2026, NYCHHC became aware of the cyberattack and secured its network. The hackers had infiltrated the system since about November 25, 2025, allowing them over two months of undetected access. During this time, they extracted a wide array of sensitive information, including health insurance details, medical records such as diagnoses and medications, billing information, Social Security numbers, passport and driver’s license numbers, as well as biometric data like fingerprints and palm prints.

      The Biometric Concern

      The theft of fingerprints and palm prints makes this breach particularly alarming compared to other healthcare data incidents that have become common in the U.S. While a stolen Social Security number can be replaced and a compromised password can be changed, a fingerprint cannot. Once biometric data is compromised, individuals face a lifelong vulnerability with no way to revoke or change that information.

      NYCHHC has not clarified why it was storing biometric data, though it may be linked to employee onboarding, which typically requires fingerprints for criminal background checks. It remains unconfirmed whether patients' biometric data was also included. The risks associated with collecting biometric data are well-documented, ranging from military situations where compromised databases jeopardized individuals to commercial scenarios where the permanence of biometric identifiers results in long-term exposure that credit monitoring cannot address.

      The breach notice also indicated that "precise geolocation data" was taken, implying that user-uploaded identity document photos may have included embedded location metadata revealing where and when those documents were taken.

      Access Through a Third-party Vendor

      NYCHHC stated that the hackers gained entry via a breach at an unnamed third-party vendor. This method is increasingly common in healthcare cybersecurity: attackers often target a supplier or service provider instead of directly compromising the primary organization, exploiting the access vendors have during normal operations.

      A notable example is the largest education data breach, which occurred when attackers accessed a learning management system vendor, affecting millions of students. In the healthcare sector, where systems are interconnected through billing platforms, electronic health records, and insurance networks, the vendor risk surface is extensive and poorly understood. The 2024 Change Healthcare ransomware attack, which compromised medical and billing information for over 190 million Americans, exemplified this risk, showing that the issue also impacts public health systems serving vulnerable populations.

      Who Is Affected

      NYCHHC cares for over one million New Yorkers annually, primarily those who are uninsured or receive state healthcare benefits such as Medicaid. The reported figure of 1.8 million likely includes current and former patients, employees, and others whose data was stored in the compromised systems. The organization operates 11 acute care hospitals, five skilled nursing facilities, and over 70 community-based clinics throughout the city's five boroughs.

      The population served by NYCHHC is predominantly low-income, immigrant, and underserved, facing significant challenges in responding to identity theft and fraud. Unlike patients in private health systems, who may have access to identity protection services through employers, many NYCHHC patients will rely on whatever credit monitoring and support the organization can provide in the aftermath, a level that healthcare organizations have not consistently achieved in past data breaches.

      The Healthcare Cybersecurity Crisis

      This breach occurs amid ongoing assaults on American healthcare infrastructure. The FBI's 2025 annual cybercrime report identified healthcare as a primary target for ransomware operators, who steal data while encrypting the victim’s systems and then demand payment to prevent its publication. Stolen medical data is particularly lucrative in criminal markets because it can facilitate insurance fraud, identity theft, prescription fraud, and targeted phishing campaigns impersonating healthcare providers.

      Healthcare breaches are also the costliest to manage. Industry data indicated that the average expense of a healthcare data breach surged to $7.42 million in 2025, the highest among all sectors, with an average of 279 days required to detect and contain an incident. NYCHHC’s timeline of around 70 days of undetected access falls within that range but remains concerning. The increasing implementation of AI-powered cybersecurity tools was intended to reduce detection periods; however, the NYCHHC breach indicates that public health systems, typically operating on tighter budgets and with older infrastructure than private organizations, have yet to benefit from such advancements.

      NYCHHC’s website briefly went offline on Monday morning. A spokesperson did not respond to inquiries regarding the months-long delay in