New York public well being supplier NYC Well being and Hospitals says a months-long data breach that allowed hackers to steal private knowledge, medical information, and fingerprints scans impacts at the least 1.8 million individuals.
NYCHHC is the most important public well being system in america and supplies healthcare to over a million New Yorkersnearly all of whom are uninsured or obtain state healthcare advantages, reminiscent of Medicaid.
The healthcare system reported the quantity to the U.S. Division of Well being and Human Providers, making it one of many largest healthcare-related knowledge breaches of the yr to date. Healthcare organizations have been repeatedly focused by financially motivated cybercriminals lately in efforts to steal their huge banks of extremely delicate sufferers’ private, medical, and billing data.
In a knowledge breach discover on its web site, NYCHHC mentioned that it detected a cyberattack on February 2 and secured its community. The hackers had entry to its community from November 2025 till February 2026, throughout which the hackers copied information from its programs.
The healthcare system mentioned hackers broke as a consequence of a breach at a third-party vendor, which it didn’t identify.
NYCHHC mentioned that the uncovered knowledge varies by particular person, and contains sufferers’ medical health insurance plan and coverage data, medical data (reminiscent of diagnoses, medicines, checks, and imagery), billing, claims, and fee data. Different government-issued id paperwork, reminiscent of Social Safety numbers, passports, and driver’s licenses, had been additionally compromised.
The breach discover additionally says “exact geolocation knowledge” was taken within the breach, suggesting that the user-uploaded photographs of their id paperwork might have additionally contained the precise location of the place the doc was captured.
The breach is especially delicate as a result of hackers stole biometric data, together with fingerprints and palm prints, which affected people have for all times and can’t change. NYCHHC didn’t present a proof for storing biometric knowledge. Potential NYCHHC staff are typically required to enroll their fingerprints for felony information checks. It’s not but recognized if sufferers’ biometrics had been additionally taken.
NYCHHC’s web site was briefly offline as of Monday morning. A spokesperson for NYCHHC didn’t instantly reply to an e-mail from TechCrunch with questions in regards to the cyberattack. TechCrunch requested, amongst different issues, why it took the group months to detect the breach, and if it has obtained any communication from the hackers, reminiscent of a requirement for fee.
It’s not clear if NYCHHC can obtain e-mail on the time of the web site outage.
The incident seems to be unrelated to the information breach at Nationwide Affiliation on Drug Abuse Issues (NADAP) earlier this yearthrough which over 5,000 NYCHHC sufferers had data taken within the cyberattack.
Within the FBI’s newest annual report on cybercrime protecting 2025, healthcare remained a prime goal for ransomware attackers — criminals who break into databases, steal a duplicate of the information whereas scrambling the sufferer’s servers, and threaten to publish the stolen knowledge if the sufferer doesn’t pay the hackers. A ransomware assault on UnitedHealth-owned well being tech large Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americansbelieved to be the most important theft of U.S. medical knowledge in historical past.
If you buy by means of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
