NYC Health + Hospitals breached

NYC Health + Hospitals disclosed in a March 24 breach notice that an unauthorized actor accessed certain systems between about November 25, 2025 and February 11, 2026, then copied files from those systems. The public hospital system said it discovered suspicious activity on February 2, secured its network and brought in outside cybersecurity professionals. (nychealthandhospitals.org) TechCrunch reported on May 18 that the incident affects at least 1.8 million people, based on the figure the system reported to the U.S. Department of Health and Human Services. The exposed information is notable because NYC Health + Hospitals said the affected data can include medical records, insurance details, billing and payment information, government-issued identification numbers, and biometric information including fingerprints and palm prints. (nychealthandhospitals.org) The system said the exact data involved varies by person and that its review remains ongoing. ### How did NYC Health + Hospitals say the intrusion happened? NYC Health + Hospitals said the intruder appears to have gained access because of a security breach at a third-party vendor, though it did not name that vendor. The system said the unauthorized actor had access for weeks before the activity was detected. (nychealthandhospitals.org) February 2, 2026 is the date the health system says it found suspicious activity. November 25, 2025 to February 11, 2026 is the window investigators identified for unauthorized access and file copying. The notice says law enforcement did not ask the organization to delay notifying affected people. (nychealthandhospitals.org) ### Why are fingerprints and palm prints the detail drawing the most attention? Biometric information stands out because NYC Health + Hospitals specifically listed fingerprints and palm prints among the data that may have been involved. Unlike a password or payment card, biometric identifiers cannot simply be reissued after exposure. (nychealthandhospitals.org) TechCrunch reported that NYC Health + Hospitals did not explain why it stored biometric data and said prospective employees are generally required to submit fingerprints for criminal background checks. The outlet said it was not yet known whether patients’ biometrics were also taken. (nychealthandhospitals.org) ### What else may have been taken besides biometrics? NYC Health + Hospitals said the affected files may include health insurance plans and policy details, medical record numbers, diagnoses, medications, test results, images and treatment plans. The notice also lists claims data, payment information, Social Security numbers, driver’s license numbers, taxpayer identification numbers, financial account information, online account credentials and precise geolocation data. (nychealthandhospitals.org) TechCrunch reported that passports were also among the compromised government identity documents. The outlet said the presence of precise geolocation data may indicate some uploaded identity-document images retained location metadata, though that point was presented as a suggestion rather than a confirmed finding by the health system. (techcrunch.com) ### How large is this breach in the healthcare sector this year? At least 1.8 million people were affected, according to TechCrunch and other reports citing the number provided to HHS. That makes it one of the larger healthcare breaches disclosed so far in 2026. (nychealthandhospitals.org) NYC Health + Hospitals is the largest public health system in the United States and serves more than 1 million New Yorkers, TechCrunch reported. The outlet said the incident appears unrelated to the earlier Change Healthcare attack. (techcrunch.com) ### What should affected people watch for next? June 23, 2026 is the date through which NYC Health + Hospitals said its breach notice will remain on its homepage and its toll-free response line will stay active. The hotline number listed in the notice is 844-403-4518. NYC Health + Hospitals said email notice will also be provided where available and that its review of which people and data elements were involved is still continuing. (techcrunch.com) That means some of the clearest next steps will come from updated individual notices and any further disclosures to regulators. (nychealthandhospitals.org)