NYC Health and Hospitals says hackers stole medical information and fingerprints during breach affecting at least 1.8 million people

New York’s public health provider NYC Health and Hospitals says a months-long data breach that allowed hackers to steal personal information, medical records, and fingerprint scanners affects at least 1.8 million people.

NYCHHC is the largest public health system in the United States and provides health care to more than one million New Yorkers, many of whom are uninsured or receive federal health care benefits, such as Medicaid.

The health care system reported this number to the US Department of Health and Human Services, making it the largest health care-related data breach of the year so far. Healthcare organizations have been repeatedly targeted by financially motivated hackers in recent years in attempts to steal their banks of sensitive personal, medical, and billing information.

In a data breach notice on its website, NYCHHC said it discovered the cyber attack on February 2 and secured its network. Hackers had access to its network from November 2025 until February 2026, when hackers copied files from its systems.

The health care system says the hackers were hacked because of a breach at a third-party vendor, which it did not name.

NYCHHC said the data disclosed varies by individual, and includes patients’ health insurance plan and policy information, medical information (such as diagnoses, medications, tests, and images), billing, claims, and billing information. Other government-issued IDs, such as Social Security numbers, passports, and driver’s licenses, are also compromised.

The breach notice also states that “specific geographic location data” was captured in the breach, suggesting that user-uploaded photos of their identities may also contain the exact location where the document was captured.

The breach is particularly sensitive because the hackers stole biometric information, including fingerprints and palm prints, that the affected people don’t have for life and can’t change. NYCHHC did not provide an explanation for storing biometric data. Prospective NYCHHC employees are generally required to register their fingerprints for criminal records checks. It is not yet known if the patients’ biometrics were also taken.

The NYCHHC website was briefly offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to discover the breach, and if it received any communication from hackers, such as a demand for payment.

It is not clear if NYCHHC can receive email during the website shutdown.

The incident appears to be unrelated to the National Association on Drug Abuse Problems (NADAP) data breach earlier this year, in which more than 5,000 NYCHHC patients had information taken from a cyberattack.

In the FBI’s latest annual report on cybercrime covering 2025, healthcare remained a top target for ransomware attackers – criminals who break into databases, steal a copy of data while probing victims’ servers, and threaten to publish the stolen data if the victim doesn’t pay the criminals. A ransomware attack on UnitedHealth-owned health technology company Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans, believed to be the largest theft of US medical data in history.