NYC Health + Hospitals breach exposes biometrics, IDs

NYC Health + Hospitals posted that attackers accessed parts of its network through an unnamed third‑party vendor between late November 2025 and February 2026 and copied files containing personal, medical, financial and biometric information for at least 1.8 million patients and employees. The system detected suspicious activity on February 2, 2026, and reported the incident to the U.S. Department of Health and Human Services on March 24, 2026. The vendor with authorized access remains unidentified.

The exposed records include full names and contact details, Social Security numbers, driver’s license and passport numbers, taxpayer IDs and IRS identity protection PINs. The dataset also contains billing and payment records, bank and card information, and medical and insurance records such as diagnoses, medication lists, test results and claims data. The breach includes biometric records, specifically fingerprints and palm prints.

Biometric identifiers are permanent and cannot be changed like a password, so their exposure creates a lasting privacy risk for affected individuals.

Federal incident data showed the healthcare sector reported hundreds of ransomware and data breach incidents in 2025. A major third‑party breach last year exposed medical and billing data for more than 190 million Americans. Security analysts have observed that vendor compromises can grant attackers access to multiple downstream systems and large volumes of sensitive data.

NYC Health + Hospitals is offering identity theft prevention and mitigation services through Kroll Information Assurance, LLC at no cost for 24 months to all individuals who have been patients of or employed by the system. The health system advised affected people to consult its public breach notice for enrollment instructions and details. The organization is reviewing security controls and working with outside cybersecurity specialists while the investigation continues.

The health system provided a minimum count of 1.8 million affected individuals and did not provide a full tally or a timeline for closing the investigation. Patients and staff concerned about potential exposure are directed to the health system’s public notice for updates and instructions.