NYC Health + Hospitals says the mega data breach allowed hackers to steal personal data, medical records and fingerprint scans of about 1.8 million people.

NYC Health + Hospitals Confirms Cyberattack Exposed Sensitive Data of 1.8 Million People
The stolen information includes medical records, government IDs, geolocation data, and biometric fingerprints and palm prints.
The breach was due to a failure by a third-party vendor, increasing the long-term risks of fraud, phishing, and spear phishing.

NYC Health + Hospitals (NYCHHC), New York City’s public health system and the largest municipal health network in the United States, has confirmed that it suffered a cyberattack in which it lost highly sensitive data of 1.8 million people.

Among the stolen data were fingerprints and palm prints, which can never be changed, making this breach even more disturbing.

Citing a data breach notice posted on NYCHHC’s website, TechCrunch It says that the attack began in November 2025 and lasted until February 2026, when the criminals were finally detected and removed from the network. During this time, however, they were able to extract sensitive data from 1.8 million people, including information about patients’ health insurance policies and plans, medical information (e.g., diagnoses, medications, tests, and imaging), billing, claims, and payments.

Third-party supply chain attack

Social security numbers, passports, and driver’s licenses were also apparently compromised, and to make matters even worse, NYCHHC said the attackers also took “precise geolocation data.”

But the most valuable data stolen is undoubtedly fingerprints and palm prints. We don’t know exactly how many people are affected, or whether they are employees, patients or both, but according to TechCrunchNYCHHC requires employees to register their fingerprints for criminal background checks.

The incident was reported to the US Department of Health and Human Services.

NYCHHC said the criminals exploited a flaw in an unnamed third-party vendor. For Chris Debrunner, CISO of CBTS, this is not a big surprise, as healthcare organizations are “interconnected by design.” However, this also means that “third party risk and the third parties they use cannot be treated as procurement or annual compliance check boxes.”

“The subsequent risk and impact to affected individuals could last well beyond the initial mitigations,” Debrunner said. “Medical information, government IDs, location data, and biometrics could be successfully used for phishing, spoofing, fraud, and social engineering targeting not only those directly affected, but potentially family members and acquaintances. Third-party access must be limited, monitored, and linked to clear inventories of roles, data, and systems. In these sensitive environments, security must be continually measured by how quickly it can be detected and mitigated before reaching the point of recovery.”