Data breach exposes medical, financial, biometric data of 1.8 million

New York City Health and Hospitals (NYCHH) is confronting one of the largest healthcare data breaches disclosed so far this year after a months-long network compromise exposed sensitive personal, medical, financial, and biometric information tied to at least 1.8 million people.

The public health system disclosed the incident in a notice, saying it discovered suspicious activity affecting certain computer systems on February 2 and immediately moved to secure its network.

A subsequent investigation found that an unauthorized actor had accessed some NYCHH systems between approximately November 25, 2025, and February 11, 2026, and copied files from those systems.

The health system said its review of the affected files is ongoing, but the data involved may include protected health information, identity documents, financial information, and biometric data, including fingerprints and palm prints.

The breach affects at least 1.8 million individuals, according to figures reported to the U.S. Department of Health and Human Services (HHS) breach tracker, making the breach one of the largest healthcare breaches reported in 2026 and one of the most sensitive because it involves not only conventional identity data such as Social Security numbers and driver’s license numbers, but also medical records and biometrics that cannot be replaced if compromised.

NYCHH is the largest public health system in the U.S. and serves more than one million New Yorkers, including large numbers of patients who are uninsured or receive public health benefits such as Medicaid.

The scale of the system, combined with the types of data it holds, makes the breach especially consequential. Healthcare providers routinely maintain a dense mix of clinical, insurance, billing, identity, and employment records, which can be highly valuable to financially motivated cybercriminals.

According to the breach notice, the exposed information varies by individual. The affected data may include health insurance information such as plans, policies, insurance companies, member and group identification numbers, Medicaid, Medicare, or other government payor identification numbers.

It may also include medical information such as medical record numbers, disability codes, diagnoses, medications, test results, images, and treatment plans.

The notice also says billing, claims, and payment information may have been involved, along with other personal information such as Social Security numbers, driver’s license numbers, government-issued identification numbers, taxpayer identification numbers, IRS-issued identity protection numbers, credit or debit card numbers, financial account information or credentials, online account credentials, and precise geolocation data.

The inclusion of biometric information significantly raises the stakes. NYC Health and Hospitals said the breach may have involved fingerprints and palm prints, a category of data that is fundamentally different from passwords, account numbers, or payment cards.

The breach also raises questions about why and how biometric information was stored, which individuals’ biometrics were included, and whether the data belonged only to workforce members, prospective employees, or also patients.

NYCHH said the intrusion may have originated through a breach at an unnamed third-party vendor. The organization did not identify the vendor in its public notice.

That detail places the incident within a broader pattern of healthcare cybersecurity risks in which hospitals and health systems may have hardened portions of their own networks but remain exposed through vendors, contractors, software providers, managed service providers, and other outside entities that hold access to internal systems or sensitive data.

Third-party access has become one of the most persistent vulnerabilities in the healthcare sector. Hospitals depend on outside vendors for billing, claims processing, scheduling, electronic health record support, staffing, analytics, remote access tools, and cybersecurity services.

When a vendor account, system, or credential is compromised, attackers may be able to move into a healthcare organization’s environment without exploiting the provider directly.

In the NYC Health and Hospitals case, the public notice says the investigation remains ongoing but indicates the unauthorized actor may have gained access because of a security breach at a third-party vendor.

The timeline also raises significant questions. NYC Health and Hospitals said it detected suspicious activity on February 2, 2026, but the unauthorized access began around November 25, 2025.

The access continued until February 11, 2026, meaning the attacker was inside affected systems for roughly 11 weeks and remained present for several days after the suspicious activity was first discovered.

The health system said it immediately launched an investigation with the support of external cybersecurity professionals and engaged a data analytics firm to analyze the contents of the data that may have been accessed without authorization.

NYCHH said the delay in identifying affected individuals was tied to the need to review the affected data and determine what information was involved. It also said notification was not delayed because of a law enforcement investigation.

In response, NYCHH said it deployed additional detection and protective technologies across its network, reset credentials for compromised accounts, implemented enhanced detection rules targeting the tools and techniques believed to have been used by the unauthorized actor, and updated remote access management policies intended to prevent similar unauthorized entry points in the future.

The breach comes amid a series of major healthcare data security incidents recently added to the HHS breach tracker.

Erie Family Health Centers in Chicago reported a breach affecting 570,000 people after hackers accessed its network between December 2025 and late January 2026.

Florida Physician Specialists reported a breach affecting 276,000 people.

Coastal Carolina Health Care in North Carolina and Western Orthopaedics in Colorado each reported incidents affecting roughly 110,000 people.

Those incidents underscore the persistent pressure on healthcare organizations from cybercriminal groups seeking high-value personal and medical data.

The NYC Health and Hospitals breach is still under investigation, and the full scope of the data exposure may change as the system continues reviewing the files copied from its network.

Article Topics

biometric data  |  biometrics  |  cybersecurity  |  data protection  |  patient identification