NYC Health + Hospitals, the nation’s largest public health system, announced that a cyberattack exposed personal, medical and biometric data belonging to at least 1.8 million individuals. The breach, which began in November 2025 and was discovered on February 2, 2026, allowed attackers to copy files from the system after gaining entry through a third‑party vendor. The organization secured its network shortly after detection and reported the incident to the U.S. Department of Health and Human Services.

The compromised information varies by patient but includes health‑insurance details, diagnoses, medication lists, test results, imaging, billing and claims data, as well as government‑issued identifiers such as Social Security numbers, passports and driver’s licenses. In a particularly sensitive aspect of the breach, fingerprint and palm‑print scans were also stolen, raising concerns about the long‑term security of biometric identifiers that cannot be reissued.

NYC Health + Hospitals has not clarified why biometric data were stored or whether the stolen fingerprints belong to patients or staff members who undergo fingerprint checks during hiring. The breach notice also mentioned that precise geolocation data were taken, suggesting that uploaded images of identity documents may have contained location metadata.

The incident follows a series of high‑profile attacks on the healthcare sector, which remains a prime target for financially motivated cybercriminals. Earlier this year, a separate breach at the National Association on Drug Abuse Problems affected over 5,000 patients, and a ransomware attack on Change Healthcare compromised the records of more than 190 million Americans. Federal authorities continue to warn that ransomware groups frequently threaten to release stolen data unless a ransom is paid.