- NYC Health + Hospitals confirms cyberattack exposed sensitive data on 1.8 million individuals
- Stolen information includes medical records, government IDs, geolocation data, and biometric fingerprints and palm prints
- The breach stemmed from a third‑party vendor flaw, raising long‑term risks of fraud, impersonation, and targeted phishing
NYC Health + Hospitals (NYCHHC), the public healthcare system of New York City and the largest municipal healthcare network in the United States, has confirmed it suffered a cyberattack in which it lost highly sensitive data on 1.8 million people.
Among the stolen data are fingerprints and palm prints, which can never be changed, making this breach even more disruptive.
Citing a data breach notice published on the NYCHHC website, TechCrunch says the attack started in November 2025, and lasted until February 2026, when the criminals were finally spotted and removed from the network. During this time, however, they were able to exfiltrate sensitive data on 1.8 million people, including patients’ health insurance plan and policy information, medical information (e.g., diagnoses, medications, tests, and imagery), billing, claims, and payment information.
Third-party supply chain attack
Social Security numbers, passports, and driver’s licenses were apparently also compromised, and to make matters even worse, NYCHHC said the attackers also walked away with “precise geolocation data”.
But the most valuable data stolen are definitely fingerprints and palm prints. We don’t know exactly how many people are affected, and whether or not these are employees, patients, or both, but according to TechCrunch, NYCHHC requires employees to enroll their fingerprints for criminal records checks.
The incident was reported to the US Department of Health and Human Services.
NYCHHC said the criminals exploited a flaw in an unnamed third-party vendor. For Chris Debrunner, CISO at CBTS, this isn’t much of a surprise, since healthcare organizations are “interconnected by design”. However, this also means “third-party risk and the third-parties they are using cannot be treated as a procurement checkboxes or an annual compliance checkbox.”
“The downstream risk and impact to the affected individuals could last well beyond the initial mitigations,” Debrunner commented. “Medical information, government IDs, location data, and biometrics could all be used successfully for targeted phishing, impersonation, fraud, and social engineering not just the ones directly impacted, but potentially to extended family and acquaintances. Third-party access needs to be limited, monitored, and tied to clear inventories of roles, data and systems. In these sensitive environments, security has to be continuously measured by how quickly you can detect and mitigate before ever getting to the point of recovery."
