NYC Health + Hospitals Cyberattack Exposes 1.8 Million Patients’ Medical and Biometric Data

The largest public healthcare system in the United States, NYC Health + Hospitals, has been hit by a severe cyberattack. In a data breach that lasted several months, hackers reportedly stole personal information, sensitive medical records, and fingerprints of at least 1.8 million people. The incident is being described as one of the largest cyberattacks in the healthcare sector in 2026.

The New York-based public healthcare provider primarily serves low-income and general patients, many of whom are uninsured or receive care under government assistance such as Medicaid. The institution confirmed the data theft in a report submitted to the U.S. Department of Health and Human Services.

Hackers inside the system for 3 months

The institution stated that it first detected the cyberattack on 2 February 2026 and quickly secured its network. However, investigations revealed that hackers had gained unauthorized access to the system as early as November 2025. This means the attackers were able to freely copy data from the database for nearly three months.

The breach reportedly occurred through vulnerabilities in a third-party vendor.

What data was stolen

According to official notices, the stolen data includes patients’ health insurance policies, disease history, prescriptions, medical test reports, and imaging files such as X-rays and MRIs.

Highly sensitive government identification data was also compromised, including Social Security numbers (SSN), passports, and driving license information.

Hackers also accessed precise geolocation data of citizens. It is believed that location metadata embedded in identity document images uploaded by patients may have been exploited to extract this information.

Fingerprints stolen: major biometric concern

Cybersecurity analysts say the most alarming aspect of the attack is the theft of biometric data, including fingerprints and palm prints. Unlike passwords or identity numbers, biometric identifiers cannot be changed once compromised.

Typically, the institution collected fingerprints for criminal background checks of job applicants. However, it remains unclear whether biometric data of general patients was also affected.

Following the incident, the organization’s official website went temporarily offline on Monday morning.

Healthcare sector increasingly targeted

According to the latest annual cybercrime report by the FBI, the healthcare sector has become a primary target for ransomware hackers worldwide. The main objective of these attacks is to extort large ransom payments by locking sensitive medical and billing data.

Previously, a massive attack on Change Healthcare, owned by UnitedHealth, led to the theft of medical data of nearly 190 million Americans in what is considered the largest medical data breach in U.S. history.

DBTech/BMT/OR