NYC Health + Hospitals says a mega data breach allowed hackers to steal the personal data, medical records and fingerprints of approximately 1.8 million people.

NYC Health + Hospitals confirms cyberattack exposed sensitive data on 1.8 million people
The stolen information includes medical records, government IDs, geolocation data, as well as biometrics and palm prints.
The breach originated from a third-party vendor breach, increasing the long-term risks of fraud, identity theft and targeted phishing.

NYC Health + Hospitals (NYCHHC), New York City’s public health system and the largest municipal health network in the United States, has confirmed that it suffered a cyberattack in which it lost highly sensitive data on 1.8 million people.

Among the data stolen is fingerprints and palm prints, which can never be changed, making this breach even more disruptive.

Citing a data breach notice posted on the NYCHHC website, TechCrunch claims the attack began in November 2025 and lasted until February 2026, when the criminals were finally spotted and removed from the network. During that time, however, they successfully exfiltrated sensitive data on 1.8 million people, including information about patients’ health insurance plans and policies, medical information (e.g., diagnoses, medications, tests, and images), billing, claims, and payment information.

Third Party Supply Chain Attack

Social Security numbers, passports, and driver’s licenses were apparently also compromised, and to make matters worse, NYCHHC said the attackers also made off with “precise geolocation data.”

But the most valuable data stolen is undoubtedly fingerprints and palm prints. We don’t know exactly how many people are affected, and whether or not they are employees, patients, or both, but depending on TechCrunchNYCHHC requires employees to register their fingerprints for criminal background checks.

The incident was reported to the U.S. Department of Health and Human Services.

NYCHHC said the criminals exploited a vulnerability in an unnamed third-party vendor. For Chris Debrunner, CISO at CBTS, this isn’t really a surprise, since healthcare organizations are “interconnected by design.” However, this also means that “third party risk and the third parties they use cannot be treated as a procurement check box or an annual compliance check box.”

“The downstream risk and impact on those affected could last well beyond initial mitigation measures,” Debrunner commented. “Medical information, government IDs, location data and biometrics could all be successfully used for targeted phishing, identity theft, fraud and social engineering, not only for those directly affected, but also potentially for extended family and acquaintances. Third-party access must be limited, monitored and linked to clear inventories of roles, data and systems. In these sensitive environments, security must be continuously measured by how quickly you can detect it and mitigate it before you get to the point of recovery.”