NYC Health hacked, 1.8M exposed

NYC Health + Hospitals said on May 18 that hackers stole personal, medical and biometric data in a breach affecting at least 1.8 million people. The public hospital system said the attacker accessed certain systems between November 25, 2025 and February 11, 2026 and copied files from them. The organization said it detected suspicious activity on February 2, secured its network and brought in outside cybersecurity specialists. It said the intrusion appears tied to a security breach at an unnamed third-party vendor. ### How long were the attackers inside the system? NYC Health + Hospitals said the unauthorized actor had access for roughly 11 weeks, from late November 2025 until February 11, 2026. The system said it discovered suspicious activity on February 2, 2026, then began an investigation and containment steps immediately. TechCrunch and The Next Web reported that the access lasted months and stemmed from a third-party vendor compromise, citing the hospital system’s disclosure. (nychealthandhospitals.org) NYC Health + Hospitals did not identify the vendor in its public notice. ### What information was taken? NYC Health + Hospitals said the exposed information varies by person and that not every data element was involved in every case. (nychealthandhospitals.org) The categories listed in its notice include health insurance details, medical information such as diagnoses, medications, test results, images and treatment plans, plus billing, claims and payment information. (techcrunch.com) The notice also says the copied files may include biometric information, including fingerprints and palm prints. Other data listed by the hospital system includes Social Security numbers, driver’s license numbers and other government-issued IDs, taxpayer identification numbers, precise geolocation data, credit or debit card numbers, financial account information, and online account credentials. (nychealthandhospitals.org) ### Who could be affected? NYC Health + Hospitals reported the breach to the U.S. Department of Health and Human Services as affecting at least 1.8 million people, according to TechCrunch. The system is the largest public health system in the United States and serves more than 1 million New Yorkers, many of whom are uninsured or use public coverage such as Medicaid, TechCrunch reported. (nychealthandhospitals.org) The public notice says the review to identify affected individuals and the specific data elements involved remains ongoing. That means the 1.8 million figure reflects the current disclosed scope, not necessarily a final count. That is an inference from the hospital system’s statement that its review is continuing. ### Why are fingerprints and palm prints a distinct problem? (techcrunch.com) The Next Web said the breach included biometric data that affected people cannot readily replace. Biometric identifiers differ from passwords or payment cards because they are not easily reissued after exposure. NYC Health + Hospitals did not say in its notice how the fingerprint and palm-print data had been used inside its systems or whether the copied files were encrypted. (nychealthandhospitals.org) Its public disclosure focused on the categories of information involved, the timeline of the intrusion and the support being offered to affected individuals. ### What is the hospital system doing now? (thenextweb.com) NYC Health + Hospitals said it engaged external cybersecurity professionals, secured its network and is providing notice under HIPAA requirements. The system said email notice is also being provided where available and that the breach notice will remain on its homepage through June 23, 2026. Kroll is operating the response site and hotline for the incident. (nychealthandhospitals.org) The toll-free number, 844-403-4518, will remain active at least until June 23, 2026, according to the notice and the Kroll incident page. ### What should readers watch next? March 24, 2026 is the date on the hospital system’s posted breach notice, and May 18, 2026 is when wider reporting put the 1.8 million figure into public view. (nychealthandhospitals.org) The next concrete update is likely to come through revised notices, regulatory filings or direct outreach as NYC Health + Hospitals continues reviewing whose data was copied and exactly what files were involved.