Hackers quietly slipped into NYC Health + Hospitals' systems and copied medical records, government-issued ID documents, and biometric scans, including fingerprints and palm prints, affecting at least 1.8 million people, according to a notice from the public hospital network. The breach went undetected for months before it was spotted and has now triggered a sweeping identity-protection effort for patients and staff.
What the system says
In a notice posted March 24, NYC Health + Hospitals said it detected suspicious activity on February 2 and later determined that an unauthorized actor had accessed parts of its network between about November 25, 2025 and February 11, 2026. The list of potentially exposed data is long and deeply personal: medical record numbers, diagnoses, imaging, Social Security numbers, and even "precise geolocation data" tied to individuals.
The system says it is offering 24 months of credit monitoring through Kroll to eligible patients and workforce members and has set up a dedicated phone line to field questions and help people enroll in those services.
Biometric data stolen
What makes this breach stand out is the confirmation that biometric data, including fingerprints and palm prints, was copied. Unlike a password, you cannot simply reset a fingerprint. That detail, combined with the scale of the incident, drew broader national attention weeks after the initial notice quietly went up in March.
As TechCrunch reported, that kind of permanent identifier creates a very different risk profile than a stolen credit card number, which banks can cancel and reissue.
A third-party vendor and a local partner hit earlier
NYC Health + Hospitals says the intruder may have gotten into its environment through a breach at a third-party vendor, a now-familiar weak point in health care cybersecurity. That sort of downstream exposure had already shown up earlier in the year.
Its care-management partner NADAP disclosed a separate incident that compromised information for about 5,086 patients, according to Becker's Hospital Review. Taken together, the cases highlight how vendors can expand the attack surface for public hospital systems.
Who in the city is exposed
NYC Health + Hospitals operates more than 70 locations and provides care to over a million New Yorkers every year. Many of those patients are uninsured or covered by Medicaid, which means the fallout is likely to land hardest on low-income and publicly insured communities.
TechCrunch notes that the sheer size of the system and the vulnerability of the populations it serves amplify the potential consequences of this breach, from identity theft to medical fraud.
Why biometric theft makes remediation harder
Biometric identifiers are designed to be permanent. Security experts warn that if a fingerprint template or similar biometric record is stolen, it can sometimes be replayed to fool systems that trust that template as proof of identity. You can change a password; you cannot change your hands.
Cybersecurity analysts say this incident fits a troubling pattern in health care: a third-party foothold followed by a long period of undetected access, which gives attackers time to explore networks and quietly pull out high-value data. SANS NewsBites and analysis from Purple Shield Security both underline how vendor connections and extended "dwell time" can significantly worsen the risk, especially when biometrics are involved.
What to do if you might be affected
NYC Health + Hospitals says eligible patients and staff can sign up for the offered identity-protection and credit-monitoring services. People who think they might be caught up in the breach are also urged to place a fraud alert or security freeze with the major credit bureaus, look closely at explanation-of-benefit statements from insurers, and keep a sharp eye on bank and medical bills for anything unexpected.
The Federal Trade Commission's recovery site, IdentityTheft.gov, provides a step-by-step plan for anyone who suspects their identity has been misused, including tailored checklists and sample dispute letters.
Regulatory fallout to watch
Under the HIPAA Breach Notification Rule, health care providers and other covered entities must notify both the U.S. Department of Health and Human Services and affected individuals when unsecured protected health information is breached. The HHS Office for Civil Rights can then open an inquiry into whether NYC Health + Hospitals or any of its business associates met their security and notification obligations.
The rule also requires public posting of large breaches and can result in corrective action plans or civil monetary penalties, depending on what federal investigators find, according to HHS.
NYC Health + Hospitals says its investigation is still underway and that it will update its notice if it confirms significant new information. The system has kept a dedicated call line open for questions. For New Yorkers who rely on public hospitals, the episode is a stark reminder that third-party access to sensitive systems needs much closer scrutiny, and that the consequences of stolen biometrics can follow people for life.
