NYC Health and Hospitals breach exposes medical records, fingerprints, and geolocation data of 1.8 million people

TL;DRNYC Health and Hospitals disclosed that hackers stole medical records, personal data, and biometric information including fingerprints from at least 1.8 million people. The breach, which lasted from November 2025 to February 2026, originated through a compromised third-party vendor.

New York City Health and Hospitals, the largest public healthcare system in the United States, has disclosed that hackers stole personal data, medical records, and biometric information, including fingerprints, in a breach affecting at least 1.8 million people. The organisation reported the figure to the US Department of Health and Human Services, making the incident one of the largest healthcare data breaches of 2026.

NYCHHC said it detected the cyberattack on 2 February 2026 and secured its network. The hackers had been inside the system since approximately 25 November 2025, giving them more than two months of access before detection. During that period, they copied files containing an extraordinary range of sensitive information: health insurance details, medical records including diagnoses and medications, billing and payment data, Social Security numbers, passport and driver’s licence numbers, and biometric data including fingerprints and palm prints.