NYC Health and Hospitals breach exposes medical records, fingerprints, and geolocation data of 1.8 million people

NYC Health and Hospitals breach exposes medical records, fingerprints, and geolocation data of 1.8 million people

Briefly

"NYC Health and Hospitals disclosed that hackers stole personal data, medical records, and biometric information, including fingerprints, in a breach affecting at least 1.8 million people. The organisation reported the figure to the US Department of Health and Human Services, making the incident one of the largest healthcare data breaches of 2026."

"NYCHHC said it detected the cyberattack on 2 February 2026 and secured its network. The hackers had been inside the system since approximately 25 November 2025, giving them more than two months of access before detection. During that period, they copied files containing an extraordinary range of sensitive information: health insurance details, medical records including diagnoses and medications, billing and payment data, Social Security numbers, passport and driver’s licence numbers, and biometric data including fingerprints and palm prints."

"The theft of fingerprints and palm prints is what distinguishes this breach from the steady drumbeat of healthcare data incidents that have become routine in American medicine. A stolen Social Security number can be replaced. A compromised password can be changed. A fingerprint cannot. Once biometric data is in the hands of attackers, the individuals affected carry that vulnerability for life, with no mechanism for revocation or reissuance."

"NYCHHC did not explain why it was storing biometric data. The most likely explanation is employee onboarding: prospective staff are generally required to submit fingerprints for criminal background checks. Whether patients' biometric data was also compromised has not be"