NYC Health + Hospitals has announced a major data breach that exposed sensitive patient information for at least 1.8 million people. The breach occurred between November 2025 and February 2026, during which hackers stole personal data, medical records, and fingerprint scans from the healthcare system's network. NYCHHC is the largest public health system in the US, serving over a million patients, mostly uninsured or on Medicaid.
The exposed data includes health insurance plan and policy information, medical diagnoses, medications, tests, and billing details. Other compromised documents include government-issued ID such as Social Security numbers, passports, and driver's licenses. Additionally, hackers stole precise geolocation data, which may have included photos of identity documents with exact location information.
NYCHHC did not provide an explanation for storing biometric data, including fingerprints, which cannot be replaced by affected individuals. The healthcare system says the breach was caused by a third-party vendor, but has not named the company. NYCHHC's website was briefly offline on Monday morning, and a spokesperson did not respond to questions about the breach.
The incident marks one of the largest healthcare-related data breaches this year, following a similar breach at Change Healthcare that exposed over 190 million Americans' medical and billing information in 2025. The FBI has reported that healthcare remains a top target for ransomware attackers, who often steal sensitive patient data to extort payments from victims.
