New York public health provider NYC Health and Hospitals says a months-long data breach that allowed hackers to steal personal data, medical records, and fingerprints scans affects at least 1.8 million people.
NYCHHC is the largest public health system in the United States and provides healthcare to over a million New Yorkers, the majority of whom are uninsured or receive state healthcare benefits, such as Medicaid.
The healthcare system reported the number to the U.S. Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year so far. Healthcare organizations have been repeatedly targeted by financially motivated cybercriminals in recent years in efforts to steal their vast banks of highly sensitive patients’ personal, medical, and billing information.
In a data breach notice on its website, NYCHHC said that it detected a cyberattack on February 2 and secured its network. The hackers had access to its network from November 2025 until February 2026, during which the hackers copied files from its systems.
The healthcare system said hackers broke due to a breach at a third-party vendor, which it did not name.
NYCHHC said that the exposed data varies by individual, and includes patients’ health insurance plan and policy information, medical information (such as diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised.
The breach notice also says “precise geolocation data” was taken in the breach, suggesting that the user-uploaded photos of their identity documents may have also contained the exact location of where the document was captured.
The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. NYCHHC did not provide an explanation for storing biometric data. Prospective NYCHHC employees are generally required to enroll their fingerprints for criminal records checks. It’s not yet known if patients’ biometrics were also taken.
NYCHHC’s website was briefly offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to detect the breach, and if it has received any communication from the hackers, such as a demand for payment.
It’s not clear if NYCHHC can receive email at the time of the website outage.
The incident appears to be unrelated to the data breach at National Association on Drug Abuse Problems (NADAP) earlier this year, in which over 5,000 NYCHHC patients had information taken in the cyberattack.
In the FBI’s latest annual report on cybercrime covering 2025, healthcare remained a top target for ransomware attackers — criminals who break into databases, steal a copy of the data while scrambling the victim’s servers, and threaten to publish the stolen data if the victim does not pay the hackers. A ransomware attack on UnitedHealth-owned health tech giant Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans, believed to be the largest theft of U.S. medical data in history.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.