NYC Health and Hospitals says 1.8 million people were hit in major breach

One of the largest healthcare breaches of the year

NYC Health and Hospitals says a cyberattack exposed highly sensitive information belonging to at least 1.8 million people, making it one of the largest reported healthcare breaches of 2026 so far. The public health system said hackers stole personal data, medical records, and biometric scans including fingerprints and palm prints.

The scale alone would make this a major incident. The nature of the data makes it worse. Unlike passwords, biometric identifiers cannot simply be reset and reissued. Once compromised, they create a durable risk for the affected people.

A long dwell time inside the network

According to the organization’s breach notice as described in the supplied report, the attack was detected on February 2, 2026, but the intruders had access to the network from November 2025 until February 2026. During that period, they copied files from its systems.

The organization said the compromise stemmed from a breach at an unnamed third-party vendor. That detail reinforces a recurring pattern in healthcare cybersecurity: even large institutions with extensive infrastructure can be exposed through connected service providers.

The data taken was unusually broad

NYC Health and Hospitals said the exposed information varies by individual, but can include insurance and policy details, diagnoses, medications, tests, medical imagery, billing and claims data, payment information, and government identification records such as Social Security numbers, passports, and driver’s licenses.

The report also says precise geolocation data was taken, suggesting that uploaded identity-document images may have carried location information. If confirmed across many records, that would widen the privacy implications beyond conventional identity theft risk.

Why the biometric angle stands out

The inclusion of fingerprints and palm prints sharply raises the severity of the breach. Biometric data is persistent. If it is abused or redistributed, affected individuals have far fewer options for recovery than they would after exposure of a credit card or password.

The healthcare system did not explain why it was storing biometric data, though the report notes that prospective employees are generally required to submit fingerprints for criminal-record checks. It was not yet clear whether patients’ biometrics were also involved.

A warning for public-sector healthcare

NYC Health and Hospitals is the largest public health system in the United States and serves more than a million New Yorkers, many of whom are uninsured or receive state healthcare benefits. That profile makes the breach especially consequential. Public healthcare systems hold large volumes of sensitive records while also operating under intense budgetary, technical, and operational constraints.

The incident is another reminder that healthcare remains a prime target for financially motivated cybercriminals. Medical and identity records are valuable, difficult to replace, and often dispersed across complex vendor networks. Once attackers find a weak point, the downstream damage can be immense.

For the people affected, the next concern is practical: what protections, notifications, and long-term monitoring will follow. For the broader industry, the message is sharper still. In healthcare, third-party exposure and slow detection remain enough to turn a systems breach into a lasting personal-security problem.

This article is based on reporting by TechCrunch. Read the original article.