New York health system says hackers stole patient data, fingerprints

Hackers stole patient medical files and biometric scans, including fingerprints and palm prints, from NYC Health + Hospitals, a breach that reached at least 1.8 million people and struck data that cannot simply be reset like a password.

The health system said it discovered suspicious activity in its network on Feb. 2, 2026, then determined an unauthorized actor had access from about Nov. 25, 2025, through Feb. 11, 2026, and copied files from affected systems. NYC Health + Hospitals disclosed the breach on March 24 and said the intrusion may have begun through a security failure at an unnamed third-party vendor.

The notice says the exposed material may include health insurance information, medical record numbers, diagnoses, medications, test results, images and treatment plans. It also lists Social Security numbers, driver’s license or other government ID numbers, taxpayer identification numbers, precise geolocation data, payment card numbers, financial account information or credentials, and online account credentials.

What makes this case especially sensitive is the biometric data. Fingerprints and palm prints are permanent identifiers, and once they are copied they cannot be replaced the way a password or account number can be. Paired with medical records, payment information and identity documents, that kind of data can support long-term fraud, identity theft and attempts to impersonate patients in other systems.

NYC Health + Hospitals said it was offering 24 months of credit monitoring and identity theft protection. Its breach notice will stay posted through June 23, 2026, and a toll-free response line, (844) 403-4518, is active at least until that date. The system said the delayed notice was not tied to a law-enforcement investigation.

The stakes are high because NYC Health + Hospitals is the largest municipal health care system in the United States. It serves more than 1 million New Yorkers each year and operates more than 70 locations across the five boroughs, including The Bronx, Brooklyn, Manhattan, Queens and Staten Island.

The breach adds to a string of security problems for the city system. A separate incident disclosed March 11 affected 5,086 patients through its care management partner NADAP, with exposed data including names, dates of birth, addresses, Medicaid numbers, clinical information and Social Security numbers. Together, the cases underline how heavily public-health institutions now depend on outside vendors, and how one weakness in that chain can spill into the records of patients across New York City.