NYC Health + Hospitals disclosed that hackers accessed its network for three months, copying fingerprints, palm prints, Social Security numbers, passports, driver’s licenses, and medical records for at least 1.8 million people.
NYCHHC, the largest public health system in the United States, reported the breach to the U.S. Department of Health and Human Services under HIPAA’s breach notification rule, which requires covered entities to notify HHS of incidents affecting 500 or more individuals within 60 days of discovery. The system serves over a million New Yorkers, most of them uninsured or enrolled in Medicaid. The intrusion, tied to a third-party vendor breach NYCHHC declined to name, ran from November 2025 until February 2, 2026.
The biometric theft is the sharpest element. Fingerprints and palm prints can’t be reissued. NYCHHC didn’t explain why it was storing biometric data; prospective employees are generally required to submit fingerprints for criminal records checks, but it’s not yet confirmed whether patient biometrics were also taken. The breach notice also cited “precise geolocation data” among the stolen records.
The FBI’s 2025 cybercrime report identified healthcare as a top ransomware target: attackers who steal data, encrypt servers, and threaten to publish if victims don’t pay.
NYCHHC hasn’t confirmed whether it received a ransom demand. Its website went briefly offline Monday morning. The organization hasn’t responded to questions about why detection took three months, and the HHS filing opens it to a potential compliance review.
James Okafor