New York public health provider NYC Health and Hospitals announced that at least 1.8 million people were affected by a months-long data breach that allowed hackers to steal personal data, medical records, and fingerprint scans.
NYCHHC is the largest public health system in the United States, providing health care to more than 1 million New Yorkers, the majority of whom are uninsured or receive state health benefits such as Medicaid.
The health system reported the number to the U.S. Department of Health and Human Services, making it one of the largest health care data breaches so far this year. Healthcare organizations have been repeatedly targeted in recent years by financially motivated cybercriminals to steal vast amounts of sensitive patient personal, medical, and billing information.
In a data breach notification on its website, NYCHHC said it detected a cyberattack on February 2 and secured its network. The hackers accessed the company’s network from November 2025 to February 2026, during which time they copied files from the system.
The health system said the hackers gained entry through a breach of a third-party vendor, but did not name the vendor.
According to NYCHHC, the compromised data varies by individual and includes patient health insurance plan and policy information, medical information (such as diagnoses, medications, tests, and imaging), and billing, billing, and payment information. Other government-issued identification documents were also compromised, including Social Security numbers, passports, and driver’s licenses.
The infringement notice also states that “precise geolocation data” was obtained in the breach, suggesting that the ID photos uploaded by users may also have included the exact location where the document was taken.
This breach is especially noteworthy because hackers stole biometric information such as fingerprints and palm prints. Biometric information, such as fingerprints and palm prints, is retained by the affected individual for life and cannot be replaced. NYCHHC does not discuss storing biometric data. Prospective NYCHHC employees are typically required to register their fingerprints for a criminal background check. It is still unclear whether biometric identification of the patient was also performed.
NYCHHC’s website was temporarily offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other questions, why it took the organization months to detect the breach and whether it had received any form of communication from the hackers, including a request for payment.
It is unclear whether NYCHHC will be able to receive emails during the website outage.
The incident appears to be unrelated to a data breach at the National Association on Drug Abuse Problems (NADAP) earlier this year, in which information on more than 5,000 NYCHHC patients was obtained in a cyberattack.
Healthcare organizations remain a top target for ransomware attackers, according to the FBI’s latest annual report on cybercrime for 2025. Criminals break into databases, steal copies of the data while scrambling the victim’s servers, and threaten to release the stolen data unless the victim pays the hacker. A ransomware attack on medical technology giant Change Healthcare, part of United Health, allowed Russian hackers to steal medical and billing information for more than 190 million Americans, in what is believed to be the largest theft of U.S. health data in history.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
