NYC Health + Hospitals says breach exposed medical records and biometric data for 1.8 million people
Hackers accessed months of sensitive data
NYC Health + Hospitals says a months-long cyberattack exposed personal data, medical records and biometric information belonging to at least 1.8 million people, making it one of the largest healthcare breaches reported this year.
The public health system, the largest in the United States, said it detected the attack on February 2 and secured its network. But according to its breach notice, hackers had already been inside the system since November 2025 and were able to copy files before being removed.
NYC Health + Hospitals reported the incident to the U.S. Department of Health and Human Services. The system serves more than a million New Yorkers, most of whom are uninsured or rely on state healthcare coverage such as Medicaid.
Fingerprints, palm prints and identity documents taken
The exposed information varies by person, but the organization said it includes health insurance plan and policy details, medical records such as diagnoses, medications, tests and imagery, as well as billing, claims and payment data. Government-issued identity documents including Social Security numbers, passports and driver’s licenses were also compromised.
The breach notice also mentions “precise geolocation data,” raising the possibility that uploaded identity document photos may have included location metadata.
The most sensitive element of the incident is the theft of biometric data, including fingerprints and palm prints. Those identifiers cannot be changed if misused. NYC Health + Hospitals did not explain why it stored biometric information, though prospective employees are generally required to enroll fingerprints for criminal records checks. It remains unclear whether patients’ biometric data was also taken.
Third-party vendor breach blamed
Protect your privacy with Doppler VPN
3-day free trial. No registration. No logs.
The health system said the hackers gained access through a breach at an unnamed third-party vendor. Its website was briefly offline Monday morning, and a spokesperson did not immediately respond to questions about the attack, including why it took months to detect and whether the organization had received ransom demands.
Healthcare providers have been repeatedly targeted by financially motivated cybercriminals in recent years because of the volume of sensitive personal, medical and billing data they hold. The NYC Health + Hospitals breach now stands among the year’s most serious examples.
Sources: