New York public health provider NYC Health and Hospitals announced that a data breach lasting several months resulted in hackers stealing personal data, medical records, and fingerprint scans from at least 1.8 million individuals. As the largest public health system in the U.S., serving over a million New Yorkers, many of whom are uninsured or on Medicaid, NYCHHC reported this significant breach to the U.S. Department of Health and Human Services. Recent trends show healthcare entities targeted by cybercriminals seeking sensitive patient information.
NYCHHC detected the breach on February 2, securing its network after hackers had access from November 2025 to February 2026, copying files. The breach originated from an undisclosed third-party vendor. Compromised data varies per individual, including insurance and medical information, billing, government-issued IDs, and possibly precise geolocation data from user-uploaded documents.
The breach is notably severe due to stolen biometric data, such as fingerprints and palm prints, which are lifelong identifiers. NYCHHC has not clarified why it stored biometric details. It’s unknown if patient biometrics were also compromised.
NYCHHC’s website experienced an outage, delaying their response to inquiries about the attack’s detection delay and potential hacker communications, including ransom demands.
This incident is separate from an earlier NADAP breach affecting over 5,000 NYCHHC patients. Healthcare continues as a ransomware target, exemplified by an attack on Change Healthcare, where hackers stole medical and billing data of over 190 million Americans, marking a historic data theft.