NYC Health and Hospitals confirms breach of 1.8 million records including biometrics
Hackers maintained access from November 2025 to February 2026, stealing medical data, identity documents, and sensitive biometric information in an incident that underscores the sector’s vulnerability to ransomware.
NYC Health and Hospitals has confirmed a significant cyberattack affecting at least 1.8 million individuals, marking one of the largest healthcare-related data breaches of 2026. The public health system, which serves more than a million New Yorkers, reported the incident to the U.S. Department of Health and Human Services after detecting the intrusion on 2 February 2026. The breach involved the theft of personal data, medical records, and biometric information, including fingerprints and palm prints.
According to the system, hackers maintained access to the network from November 2025 until the breach was identified and the network was secured. The intrusion was facilitated by a vulnerability in an unnamed third-party vendor, through which attackers copied files from the system. The duration of the access period highlights the challenges healthcare organisations face in detecting sophisticated, financially motivated cybercriminals who often dwell in networks for extended periods before exfiltrating data.
The compromised data is extensive and varies by individual, encompassing health insurance details, diagnoses, medications, and billing information. Government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also stolen. Additionally, the breach notice indicated that precise geolocation data was taken, suggesting that user-uploaded photos of identity documents may have contained metadata revealing the exact location of capture.
The exposure of biometric data is particularly critical, as fingerprints and palm prints are immutable identifiers that individuals cannot replace. While NYCHHC did not explicitly detail why patient biometrics were stored, the system generally requires prospective employees to provide fingerprints for criminal records checks. It remains unclear whether the stolen biometric data belonged to patients or staff, though the potential for long-term identity theft risks is significant.
This incident appears unrelated to a separate cyberattack earlier in the year involving the National Association on Drug Abuse Problems, which affected over 5,000 NYCHHC patients. The breach occurs against a backdrop of heightened cyber threats to the healthcare sector, with the FBI’s 2025 annual cybercrime report identifying healthcare as a top target for ransomware. Previous major incidents, such as the attack on UnitedHealth-owned Change Healthcare, have demonstrated the scale of data theft possible in the sector, with over 190 million Americans affected in that case.
As of Monday morning, NYCHHC’s website was briefly offline, and a spokesperson did not immediately respond to requests for comment regarding the detection timeline or potential ransom demands. The organisation has not disclosed whether it has received any communication from the hackers, including demands for payment. The incident reinforces the ongoing pressure on public health institutions to secure sensitive patient information against increasingly sophisticated cyber threats.
