Biometrics, diagnoses, and bank details exposed in major healthcare breach

NYC Health + Hospitals (NYC H+H) posted a data breach notice about a months‑long breach via a third‑party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, including medical records, government IDs, geolocation data, and even fingerprint and palm‑print biometrics.

NYC H+H detected suspicious activity on February 2, 2026, and later confirmed that an unauthorized actor had access to parts of its network from roughly late November 2025 through February 2026.

During this window, attackers copied files containing personal, medical, financial, and biometric information. The incident was reported to the US Department of Health and Human Services (HHS) on March 24, 2026, and currently affects at least 1.8 million individuals, making it one of the largest healthcare breaches of 2026 so far.

NYC H+H attributes the intrusion to a breach at an unnamed third‑party vendor that had access to its systems. This fits the current pattern of supply-chain compromises, where a vendor becomes the entry point for attackers to gain access to their clients’ systems or data.

Incidents like these are a textbook example of how deeply personal health data can fuel long‑term fraud, stalkerware‑like abuse, and permanent privacy loss.

Biometrics, diagnoses, and bank details exposed in major healthcare breach

Other newsrooms on this story

Related reading

NYC Health and Hospitals breach exposes medical records, fingerprints, and…

NYC Health and Hospitals says hackers stole medical data and fingerprints…

Data breach affects 38,000 UChicago Medicine patients - UPI.com

Confidential health records from UK BioBank project exposed online

Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

Here's how your personal information is sold to criminals - UPI.com