Back

Massive Data Breach at NYC Health and Hospitals Affects 1.8 Million Patients

Severity: High (Score: 66.0)

Sources: www.diariobitcoin.com, Biometricupdate, www.nychealthandhospitals.org, cybernoz.com, Techcrunch

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: data, hackers, fingerprints, medical, health, stole, million

Severity indicators: medical

Summary

NYC Health and Hospitals reported a significant data breach affecting at least 1.8 million individuals. The breach, which lasted from November 25, 2025, to February 2, 2026, was caused by unauthorized access through a compromised third-party vendor. Sensitive data stolen includes medical records, personal identification, financial information, and biometric data such as fingerprints and palm prints. This incident is one of the largest healthcare data breaches of 2026, raising serious concerns due to the irreversible nature of biometric data theft. The breach was detected on February 2, 2026, prompting immediate security measures. The organization is currently reviewing the affected data and has reported the incident to the U.S. Department of Health and Human Services. Key Points: • 1.8 million individuals affected by the breach, making it one of the largest in 2026. • Sensitive data stolen includes medical records, financial information, and biometric data. • The breach lasted over two months before detection, highlighting significant security vulnerabilities.

Detailed Analysis

**Impact** At least 1.8 million individuals served by New York City Health and Hospitals (NYCHH), the largest public healthcare system in the U.S., had sensitive data compromised. The breach exposed medical records, personal identifiers (Social Security numbers, driver’s licenses, passports), financial information, and biometric data including fingerprints and palm prints. The incident also involved precise geolocation data embedded in user-uploaded identity document photos. A related but smaller breach at a third-party care coordination partner, NADAP, affected 5,086 patients with PHI and Social Security numbers. **Technical Details** The breach occurred through a compromised third-party vendor, with unauthorized access from approximately November 25, 2025, to February 2-11, 2026. Attackers copied files containing protected health information, financial data, and biometric identifiers. No specific malware, CVEs, or tools were disclosed. The attack leveraged third-party access as the initial vector, consistent with supply chain compromise tactics. No IOCs were provided in the available sources. **Recommended Response** Organizations should immediately review and restrict third-party vendor access privileges and implement continuous monitoring of vendor connections. Deploy anomaly detection focused on unusual data exfiltration and access patterns involving sensitive data repositories. Harden identity verification processes and assess biometric data storage and protection policies. Monitor for any public disclosures or threat actor communications related to this breach.

Source articles (11)

  • Hackers stole fingerprints and medical data from 1.8 million people in NYC's largest public ... — Thenextweb · 2026-05-18
    TL;DR NYC Health and Hospitals disclosed that hackers stole medical records, personal data, and biometric information including fingerprints from at least 1.8 million people. The breach, which lasted…
  • NYC Health + Hospitals says hackers stole medical data and fingerprints in breach affecting ... — Firstpost · 2026-05-18
    NYC Health + Hospitals has detailed that a months-long data breach allowed hackers to steal personal data, medical records, and fingerprint scans of at least 1.8 million people. NYCHHC, one of the lar…
  • NYC Health + Hospitals State Hackers Stole Medical Data and Fingerprints in Breach ... — Ground.News · 2026-05-18
    NYC Health + Hospitals has reported a major data breach exposing sensitive personal, medical, and biometric data of 1.8 million people after hackers accessed its systems for several months New York Ci…
  • NYC Health + Hospitals says hackers stole medical data and fingerprints in breach affecting ... — Firstpost · 2026-05-18
    NYC Health + Hospitals has detailed that a months-long data breach allowed hackers to steal personal data, medical records, and fingerprint scans of at least 1.8 million people. NYCHHC, one of the lar…
  • Notification Of Possible Phi Disclosures — www.nychealthandhospitals.org · 2026-05-18
    ...but your activity and behavior on this website made us think that you are a bot. Please solve this CAPTCHA in helping us understand your behavior to grant access You reached this page when trying t…
  • NYC Health and Hospitals Confirms Medical and Biometric Data Robbery of 1.8 Million People — www.diariobitcoin.com · 2026-05-18
  • Millions Impacted Across Several US Healthcare Data Breaches — cybernoz.com · 2026-05-18
  • Notification Of Possible Phi Disclosures — www.nychealthandhospitals.org · 2026-05-18
  • Notification Of Possible Phi Disclosure 7 — web.archive.org · 2026-05-18
    NYC Health + Hospitals was notified on January 27, 2026, that one of its Care Management Agency Partners, NADAP, which provides care coordination services to individuals who receive services under NYC…
  • NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people — Techcrunch · 2026-05-18
    New York public health provider NYC Health and Hospitals says a months-long data breach that allowed hackers to steal personal data, medical records, and fingerprints scans affects at least 1.8 millio…
  • Data breach exposes medical, financial, biometric data of 1.8 million — Biometricupdate · 2026-05-18
    New York City Health and Hospitals (NYCHH) is confronting one of the largest healthcare data breaches disclosed so far this year after a months-long network compromise exposed sensitive personal, medi…

Timeline

  • 2025-11-25 — Unauthorized access begins: Hackers gained access to NYC Health and Hospitals systems through a third-party vendor.
  • 2026-02-02 — Breach detected: NYC Health and Hospitals detected suspicious activity and secured their network.
  • 2026-05-18 — Breach disclosed publicly: NYC Health and Hospitals publicly disclosed the breach affecting 1.8 million individuals.

Related entities

  • Data Breach (Attack Type)
  • Ransomware (Attack Type)
  • Change Healthcare (Company)
  • Coastal Carolina Health Care (Company)
  • Erie Family Health Centers (Company)
  • Florida Physician Specialists (Company)
  • Nadap (Company)
  • National Association On Drug Abuse Problems (Company)
  • New York City Health And Hospitals (Company)
  • New York City Health And Hospitals Corporation (Company)
  • NYC Health And Hospitals (Company)
  • NYC Health + Hospitals (Company)
  • Western Orthopaedics (Company)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • nychhc.org (Domain)
  • [email protected] (Email)
  • Healthcare (Industry)
  • 46.101.93.122 (Ipv4)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed