NYC Health + Hospitals, the largest public health system in the United States, has confirmed a massive data breach exposing the sensitive information of at least 1.8 million patients. The incident, which persisted for several months, resulted in the theft of personal medical records, government-issued identification, and biometric data.
A Months-Long Security Failure
According to the official notification of the breach, hackers infiltrated the network via a third-party vendor. The unauthorized access began in November 2025 and remained undetected until February 2, 2026. During this window, cybercriminals successfully exfiltrated vast amounts of data before the system could secure its network.
The system provides essential care to over a million New Yorkers, many of whom rely on Medicaid or lack health insurance entirely. This breach now stands as one of the most significant healthcare data compromises of the year.
What Data Was Stolen?
The scope of the compromised information is extensive and varies by individual. Exposed files include:
- Medical records: Diagnoses, prescribed medications, test results, and medical imagery.
- Financial details: Billing statements, insurance plan information, and payment records.
- Identity documents: Social Security numbers, passports, and driver’s licenses.
- Metadata: Precise geolocation data, likely extracted from user-uploaded photos of identity documents.
The Crisis of Stolen Biometrics
Perhaps most alarming is the theft of biometric information, including fingerprints and palm prints. Unlike a password or a credit card number, biometric data is permanent and cannot be replaced once compromised. While NYC Health + Hospitals mandates fingerprint enrollment for criminal background checks for prospective employees, the organization has yet to clarify why this sensitive data was stored or if patient biometrics were also impacted.
A Growing Trend in Healthcare Cybercrime
The healthcare sector has become a primary target for financially motivated threat actors. The FBI’s recent annual report on cybercrime highlights that ransomware groups consistently prioritize medical databases due to the high value of the information held within. This incident is distinct from the earlier attack on the National Association on Drug Abuse Problems (NADAP), which impacted approximately 5,000 NYC Health + Hospitals patients.
As of Monday, the NYC Health + Hospitals website experienced intermittent outages, complicating efforts to communicate with those affected. The organization has not yet disclosed whether a ransom demand was made or why the breach went undetected for several months.