NYC Health + Hospitals has disclosed a major cyberattack that exposed sensitive personal, medical, and biometric data belonging to approximately 1.8 million individuals. The breach is now considered one of the largest healthcare security incidents reported in 2026.
According to the public healthcare provider, attackers gained unauthorized access to internal systems between November 2025 and February 2026 before the intrusion was detected and contained. The organization said suspicious activity was discovered on February 2, prompting an internal investigation and emergency response measures.
The compromised data includes highly sensitive medical records, insurance information, billing details, Social Security numbers, driver’s license data, and government-issued identification records. The breach also exposed biometric information, including fingerprint and palm print scans, raising long-term privacy and identity security concerns.
Unlike passwords or payment cards, biometric identifiers cannot be changed once compromised. Security experts warn that stolen fingerprint and palm print data could create permanent risks for affected individuals if the information is later abused for fraud, impersonation, or identity verification bypass attempts.
NYC Health + Hospitals stated that the breach appears to have originated through a compromised third-party vendor. The healthcare provider has not publicly identified the vendor involved but confirmed that attackers were able to access and copy files from internal systems during the intrusion window.
Researchers continue warning that healthcare organizations remain high-value targets for cybercriminals because medical records contain extensive personal and financial information that can be exploited in phishing campaigns, insurance fraud, identity theft, and social engineering attacks. Healthcare networks are also heavily interconnected with vendors, contractors, and external service providers, increasing supply chain risk exposure.
The organization said affected individuals are being notified and offered identity protection and credit monitoring services. Officials also reported the incident to the U.S. Department of Health and Human Services as required under federal healthcare breach regulations.
The incident adds to growing concerns surrounding cybersecurity within the healthcare sector, where ransomware attacks, third-party breaches, and large-scale patient data exposures continue to rise. Security analysts have repeatedly warned that hospitals and public healthcare systems remain vulnerable due to aging infrastructure, complex vendor ecosystems, and the high value of medical information on underground cybercrime markets.