NYC Health and Hospitals Suffers Massive Data Breach, Affecting 1.8 Million and Stealing Biometric Data

NYC Health and Hospitals (NYCHHC), the largest public health system in the United States, has disclosed a significant data breach that exposed the personal and medical information, including highly sensitive biometric data, of at least 1.8 million people. The months-long cyberattack, which allowed hackers to access the network from November 2025 until it was detected and secured in February 2026, represents one of the largest healthcare-related data breaches reported this year. This incident underscores the escalating threat financially motivated cybercriminals pose to healthcare organizations, which are rich targets for vast banks of sensitive patient data. The breach originated through a third-party vendor, which NYCHHC has not publicly named. During their access period, hackers managed to copy a wide array of files from the system. The compromised data varies by individual but includes critical information such as health insurance plan details, extensive medical records (diagnoses, medications, tests, and imagery), billing and payment information, and government-issued identity documents like Social Security numbers, passports, and driver's licenses. Alarmingly, "precise geolocation data" was also stolen, suggesting user-uploaded identity document photos might have contained location metadata. Perhaps the most concerning aspect of this breach is the theft of biometric information, specifically fingerprints and palm prints. Unlike other forms of identity data, biometric identifiers are unique and immutable, meaning affected individuals are permanently compromised and cannot replace them. NYCHHC has not provided an explanation for storing such sensitive biometric data, particularly for patients, although it is known that prospective employees are required to enroll fingerprints for criminal record checks. It remains unclear whether patient biometrics were indeed among the stolen data. Despite detecting the cyberattack on February 2, 2026, and securing its network, questions remain regarding the duration of the breach and the organization's response. TechCrunch's inquiries, including why it took months to detect the intrusion and whether any ransom demands were made, went unanswered by NYCHHC. The incident highlights the persistent challenges healthcare providers face in securing vast amounts of highly personal data against sophisticated and persistent cyber threats. This breach adds to a growing list of major cyberattacks targeting the healthcare sector. The FBI's latest annual report for 2025 confirmed healthcare as a top target for ransomware attackers. Earlier this year, a ransomware attack on UnitedHealth-owned Change Healthcare resulted in the theft of medical and billing information for over 190 million Americans, marking it as potentially the largest theft of U.S. medical data in history. The NYCHHC incident, while appearing unrelated to a smaller breach affecting its patients via the National Association on Drug Abuse Problems (NADAP) earlier this year, reinforces the urgent need for robust cybersecurity measures across the entire healthcare ecosystem.