NYC Health and Hospitals, a New York public health service provider, said a months-long data breach that allowed hackers to steal personal data, medical records and fingerprint scans affected at least 1.8 million people.
NYCHHC is the nation’s largest public health system, providing health care to more than one million New Yorkers. Many of them are uninsured or receive state health care coverage such as Medicaid.
The health system reported the figures to the U.S. Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year so far. Healthcare organizations have been targeted by financially motivated cybercriminals in recent years in an effort to steal vast banks of highly sensitive patient personal, medical and billing information.
In a data breach notice posted on its website, NYCHHC said it detected the cyberattack and secured its network on February 2. The hacker accessed the network from November 2025 to February 2026, during which time the hacker copied files from the system.
The health system said the hackers were infiltrated through a breach by an unnamed third-party vendor.
NYCHHC said the exposed data varied across individuals and included patients’ health insurance plan and policy information, medical information (including diagnoses, medications, tests and imaging), and billing, billing and payment information. Other government-issued identity documents, including Social Security numbers, passports, and driver’s licenses, were also compromised.
The breach notice also states that “precise geolocation data” was captured in the breach, suggesting that user-uploaded ID photos may also have included the exact location where the document was captured.
This breach is particularly sensitive because the hackers stole biometric information, including fingerprints and palm prints, that can impact individuals for a lifetime and are irreplaceable. NYCHHC did not provide an explanation for storing biometric information. Prospective NYCHHC employees are generally required to be fingerprinted for a criminal background check. It is not yet known whether the patient’s biometrics were also collected.
The NYCHHC website was briefly offline starting Monday morning. A NYCHHC spokesperson did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took organizations months to detect a breach and whether they received any communications from hackers, such as demands for payment.
It is unclear whether NYCHHC will receive emails in the event of a website outage.
This incident does not appear to be related to the data breach that occurred at the National Association for Drug Abuse Problems (NADAP) earlier this year. In this incident, more than 5,000 NYCHHC patients had their information obtained through a cyberattack.
In the FBI’s latest annual report on cybercrime for 2025, the healthcare sector remains a top target for ransomware attackers. Criminals break into databases and steal copies of data while scrambling their victims’ servers, threatening to make the stolen data public if victims don’t pay the hackers. A ransomware attack on Change Healthcare, a health technology giant owned by UnitedHealth, allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans, believed to be the largest theft of U.S. health data in history.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.
