New York public health provider NYC Health + Hospitals says data breach for months that allowed hackers to steal personal data, medical records and fingerprint scans affects at least 1.8 million people.
NYCHHC is the largest public health system in the United States and provides health care to over a million New Yorkersthe majority of whom are uninsured or receive government health care benefits such as Medicaid.
The healthcare system reported the number to the US Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year so far. Healthcare organizations have been repeatedly targeted by financially motivated cybercriminals in recent years in attempts to steal their vast banks of highly sensitive personal, medical and billing information from patients.
In a data breach notice on its website, NYCHHC said it detected a cyberattack on Feb. 2 and secured its network. Hackers accessed its network from November 2025 to February 2026, during which hackers copied files from its systems.
The health care system said the hackers broke through a breach at a third-party vendor, which it did not name.
NYCHHC said the data exposed varies by individual and includes patients’ health insurance plan and policy information, medical information (eg, diagnoses, medications, tests and images), billing, claims and payment information. Other government-issued identification documents, such as social security numbers, passports and driver’s licenses, were also compromised.
The breach notification also states that “precise geolocation data” was obtained during the breach, suggesting that photos users uploaded of their ID documents may also have contained the exact location where the document was captured.
The breach is particularly sensitive because the hackers stole biometric information, including fingerprints and palm prints, that affected individuals have for life and cannot replace. NYCHHC did not provide an explanation for storing biometric data. Candidate NYCHHC employees are generally required to be fingerprinted for criminal record checks. It is not yet known if the patients’ biometrics were also taken.
The NYCHHC website was briefly offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to detect the breach and whether it has received any communication from the hackers, such as a payment request.
It is unclear whether NYCHHC can receive email at the time the website is down.
The incident does not appear to be related to the data breach at the National Association on Drug Abuse Problems (NADAP). earlier this yearin which more than 5,000 NYCHHC patients had information obtained during the cyber attack.
In the latest of the FBI annual cybercrime report covering 2025, healthcare remained a top target for ransomware attackers – criminals who hack into databases, steal a copy of the data while messing with the victim’s servers, and threaten to publish the stolen data if the victim doesn’t pay the hackers. A ransomware attack on UnitedHealth tech giant Change Healthcare allowed Russian hackers to steal the medical and billing information of more than 190 million Americans in what is believed to be the largest theft of US medical data in history.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
