The breach at NYC Health and Hospitals has revealed the medical records, fingerprints, and geolocation information of 1.8 million individuals.

      TL;DR NYC Health and Hospitals revealed that hackers accessed and stole medical records, personal information, and biometric data, including fingerprints, from over 1.8 million individuals. The breach occurred between November 2025 and February 2026 and was linked to a compromised third-party vendor.

      New York City Health and Hospitals, the largest public healthcare system in the U.S., reported that hackers stole personal data, medical records, and biometric information from at least 1.8 million people. This information was shared with the U.S. Department of Health and Human Services, making it one of the largest healthcare data breaches in 2026.

      On February 2, 2026, NYCHHC identified the cyberattack and secured its network, noting that the hackers had accessed the system since approximately November 25, 2025, resulting in over two months of undetected access. During this time, they copied sensitive data, including health insurance details, comprehensive medical records, billing information, Social Security numbers, and biometric data like fingerprints and palm prints.

      The biometric data theft is significant as it differentiates this breach from typical healthcare data incidents. Unlike replaceable Social Security numbers or passwords, stolen biometric data presents a lifelong security risk for individuals, as there is no way to revoke or change it once compromised.

      The reason for NYCHHC storing biometric data was not provided, though it is likely related to employee onboarding processes that require fingerprints for background checks. Whether patient biometric data was also impacted remains unconfirmed. The collection of biometric data has raised concerns in various contexts due to the long-term vulnerabilities it introduces, as demonstrated by incidents in both military and commercial settings.

      Additionally, the breach notice indicated that "precise geolocation data" was also stolen, implying that user-uploaded identification documents might have included location metadata showing when and where the documents were taken.

      Regarding the breach method, NYCHHC stated that hackers accessed their systems through a third-party vendor, which has not been named. This approach is common in healthcare cybersecurity, where attackers often compromise suppliers or service providers rather than the target organization directly, taking advantage of the established trust and network access of these vendors.

      The largest educational data breach followed a similar pattern when attackers exploited a vendor of a learning management system, affecting millions of students across numerous institutions. In healthcare, where systems are interconnected through billing, electronic health records, and insurance networks, the vendor attack surface is extensive and largely unmonitored. The 2024 Change Healthcare ransomware attack, compromising the medical and billing information of over 190 million Americans, serves as a stark example, highlighting the vulnerability of public health systems that cater to at-risk populations.

      NYCHHC serves more than one million New Yorkers annually, most of whom are either uninsured or rely on state healthcare benefits like Medicaid. The reported figure of 1.8 million likely includes current and former patients, employees, and others whose data was stored in the affected systems. The organization operates 11 acute care hospitals, five skilled nursing facilities, and over 70 community-based clinics across New York City's five boroughs.

      The population served by NYCHHC is primarily low-income, immigrant, and medically underserved, making them particularly vulnerable to the impacts of identity theft and fraud. Unlike patients at private healthcare facilities who might access identity protection services through their employers, many NYCHHC patients may have to rely on limited credit monitoring and support provided by the organization post-breach, a standard not consistently upheld by healthcare organizations even in the case of data breaches.

      This incident occurs amidst ongoing cyberattacks targeting American healthcare systems. According to the FBI’s 2025 cybercrime report, healthcare continues to be a prime target for ransomware groups, who steal data while encrypting the victim’s systems and demand payment to avoid releasing the data. Stolen medical information is especially valuable to criminals for insurance fraud, identity theft, and phishing schemes impersonating healthcare providers.

      Healthcare data breaches are also notoriously costly to mitigate. Industry statistics reveal that the average cost of a healthcare data breach soared to $7.42 million in 2025, the highest across any sector, with detection and containment taking about 279 days on average. Although NYCHHC's breach involved hackers being in the network for about 70 days before detection, this timeframe is still alarming. While AI-driven cybersecurity tools are intended to help shorten detection times, the NYCHHC breach indicates that public health systems, which often operate on tighter budgets and older technologies than their private counterparts, may not yet have reaped the benefits of these advancements.

      On Monday morning, NYCHHC’s website experienced a brief outage. A representative did not respond to inquiries regarding the delay in identifying the breach, whether a ransom was demanded, or what remediation steps will be taken for those affected. This incident is reported to be separate from a smaller breach earlier this year at the National Association on Drug Abuse Problems that affected over 5,000 NYCHHC patients. For the 1.8 million individuals