NYC Health + Hospitals says mega data breach allowed hackers to steal personal data, medical records and fingerprint scans of about 1.8 million people

NYC Health + Hospitals Confirms Sensitive Data Exposed by Cyber Attack on 1.8 Million Individuals
Stolen information includes medical records, government IDs, geolocation data, and biometric fingerprints and palm prints
The breach stemmed from a third-party vendor failure, increasing long-term risks of fraud, impersonation and targeted phishing

NYC Health + Hospitals (NYCHHC), the public health system of New York City and the largest municipal health network in the United States, has confirmed that it has suffered a cyber attack in which it lost highly sensitive data of 1.8 million people.

Among the stolen data are fingerprints and palm prints, which can never be changed, making this breach even more disturbing.

Referring to a data breach notice published on the NYCHHC website, TechCrunch says the attack started in November 2025 and lasted until February 2026, when the criminals were finally discovered and removed from the network. During that time, however, they were able to wipe out sensitive data on 1.8 million people, including patients’ health insurance plan and policy information, medical information (such as diagnoses, medications, tests and images), billing, claims and payment information.

Third Party Supply Chain Attacks

Social security numbers, passports and driver’s licenses were also apparently compromised, and to make matters worse, the NYCHHC said the attackers also walked away with “precise geolocation data.”

But the most valuable data stolen are definitely fingerprints and palm prints. We do not know exactly how many are affected and whether it is employees, patients or both, but according to TechCrunchNYCHHC requires employees to register their fingerprints for criminal records checks.

The incident was reported to the US Department of Health.

NYCHHC said the criminals exploited a flaw in an unnamed third-party vendor. For Chris Debrunner, CISO at CBTS, this is not much of a surprise as healthcare organizations are “connected by design”. However, this also means “third-party risk, and the third parties they use cannot be treated as a purchase checkbox or an annual compliance checkbox.”

“The downstream risk and impact to the affected individuals can last well beyond the initial mitigations,” commented Debrunner. “Medical information, government IDs, location data, and biometrics can all be used for targeted phishing, impersonation, fraud, and social engineering, not just for those directly affected, but potentially for extended families and acquaintances. Third-party access must be restricted, monitored, and tied to clean inventories of roles, data, and systems. In these security-sensitive environments, you can continuously discover how sensitive and systems you can measure. mitigate before you ever get to the point of recovery.”