NYC Health breach exposes 1.8 million

NYC Health + Hospitals said on March 24 that an unauthorized actor accessed parts of its network between November 25, 2025 and February 11, 2026 and copied files from those systems. The public hospital system said the breach may have begun with a security incident at an unnamed third-party vendor, and that at least 1.8 million people were affected. The stolen information included medical records, insurance details, billing data and biometric information such as fingerprints and palm prints. ### How did the breach unfold? NYC Health + Hospitals said it discovered suspicious activity on February 2, 2026, secured its network immediately, opened an investigation and brought in outside cybersecurity specialists. The system said its investigation later found that the intruder had access for roughly 11 weeks, from late November until February 11. (nychealthandhospitals.org) TechCrunch reported on May 18 that the health system told the U.S. Department of Health and Human Services the breach affected at least 1.8 million people, putting it among the larger healthcare breaches disclosed this year. HHS’s Office for Civil Rights maintains the federal breach portal for incidents affecting 500 or more people. (nychealthandhospitals.org) ### What kinds of information were taken? The breach notice says the exposed data varies by person, but can include health insurance information, medical information, billing and payment records, and other personal data. The medical details listed by the system include diagnoses, medications, test results, images and treatment plans. (techcrunch.com) Biometric information was also in the affected files. NYC Health + Hospitals said the stolen data may include fingerprints and palm prints, alongside Social Security numbers, driver’s license numbers, taxpayer identification numbers, precise geolocation data, financial account information and online account credentials. (nychealthandhospitals.org) ### Why are fingerprints different from other stolen data? Fingerprints and palm prints are different because they cannot be reissued in the way a password, payment card or account login can. The breach notice itself does not say how the biometric data was used inside the health system, but it identifies those scans as part of the affected information set. (nychealthandhospitals.org) SecurityWeek reported on May 19 that the NYC Health + Hospitals case was one of several large healthcare breaches recently added to the federal tracker. That report said multiple incidents involving hospitals and health-related organizations had affected hundreds of thousands or millions of people. (nychealthandhospitals.org) ### What has the hospital system said about the cause? NYC Health + Hospitals said the unauthorized actor “may have gained access” because of a security breach at a third-party vendor, but it did not identify the vendor in its public notice. The system also said its review of which individuals and which exact data elements were involved remains ongoing. (biometricupdate.com) The public notice says law enforcement did not ask the system to delay notification. The notice was posted under HIPAA breach-notification rules and says email notice would also be provided where required by law. ### What should affected people watch for next? NYC Health + Hospitals said its public notice will remain on its website through June 23, 2026. (nychealthandhospitals.org) The system’s toll-free response line, operated through Kroll, is listed as (844) 403-4518 and will remain active at least until that date for people checking whether their information was involved. HHS says breaches affecting 500 or more individuals are reported to the secretary through its online portal, and those cases appear on the public breach list while under investigation. For affected patients, the next formal steps are likely to come through updated notices from NYC Health + Hospitals, any HHS Office for Civil Rights inquiry, and any additional disclosures about the third-party vendor the system has not yet named. (nychealthandhospitals.org) (hhs.gov)