NYC Health + Hospitals is warning 1.8 million patients that hackers stole medical records, Social Security numbers, banking information, and even fingerprint data in a months-long breach of the nation’s largest public hospital system.

The New York City-based public healthcare system this week began notifying 1.8 million affected individuals that their sensitive personal and health information was exposed to cybercriminals in a breach of its systems first discovered on February 2nd.

“The investigation determined that an unauthorized actor accessed certain NYC Health + Hospitals’ systems between approximately November 25th, 2025, and February 11th, 2026,” the organization stated in a breach notice posted on its website.

The unauthorized actor was said to have “copied certain files from those systems” – all while maintaining continued access to NYCHHC networks for nearly three months.

Outside cybersecurity experts believe the hackers broke into the hospital systems through a security breach involving one of its third-party vendors.

Curious what others think about this story? Contribute your thoughts to the debate below.

Investigators are still determining the identity of affected individuals and specific data elements involved, and have not revealed whether ransomware was a factor in the breach.

Cybernews has reached out to NYC Health + Hospitals for additional details about the attack, including whether any systems were encrypted, if a ransom demand was made, and how many individuals had biometric data exposed, but has not heard back as of publication.

Fingerprints and medical records exposed

NYC Health + Hospitals operates more than 70 patient care locations across the city’s five boroughs, serves more than 1 million patients annually, and employs roughly 45,000 healthcare professionals, according to its website.

Employee information was also said to have been compromised in the breach.

The vast network is made up of 11 major hospitals, 29 outpatient centers, trauma centers, nursing homes, and the NYC Health + Hospitals Institute for Diseases and Disaster Management, making it one of the largest public healthcare systems in the US.

NYCHHC said the amount and type of information exposed in the breach varies by individual, but is said to include one or more of the following data elements:

• Personal information: names, dates of birth, addresses, Social Security numbers, driver’s license or passport numbers, taxpayer ID numbers, and precise geolocation data.
• Health-related information: medical record numbers, health insurance information, Medicaid/Medicare government ID numbers, diagnoses, medications, test results, images, and treatment plans.
• Financial and other identifying information: billing, claims, and payment information, credit card/debit card numbers, bank account information, as well as online account credentials and biometric data such as fingerprints and palm prints.

Ross Filipek, CISO at Corsica Technologies, told Cybernews that what makes this breach so alarming is not just the nearly 2 million people impacted, but the information stolen.

“Medical records, financial details, and even fingerprint data create a long-term problem for victims because, unlike a password, biometric data cannot simply be reset after exposure,” Filipek explained.

He says the ripple effects stretch far beyond a single hospital network, and "can disrupt insurance systems, delay treatments, fuel identity fraud, and open the door to highly convincing phishing campaigns built around stolen patient information."

Patients urged to monitor accounts

NYCHCC says it has engaged a leading data analytics firm to analyze the contents of the data, and as taken a number of steps to protect against future security incidents.

“Protecting the security and privacy of the information we maintain is a top priority,” the NYCHHC said in its notice.

The organization says it has “reset credentials for all compromised accounts, implemented enhanced detection rules targeting the specific tools and techniques suspected to be used by the unauthorized individual, and updated its remote access management policies to prevent similar unauthorized entry points in the future.”

Still, it is urging impacted individuals to not only immediately change the password for their NYCHHC and related accounts, but to monitor financial statements, explanation-of-benefits forms, and credit reports for suspicious activity.

The healthcare network recommends reporting any suspected identity theft or fraud to banks, insurers, and law enforcement, and consider placing a fraud alert or security freeze on their credit file.

Filipek says that healthcare organizations have become one of the most attractive targets in cybersecurity, citing similarities between a March data wiping attack on the Stryker Corporation, a leading medical technology provider.

“Hospitals and healthcare providers sit on enormous amounts of sensitive data, but they also operate in environments where downtime can directly affect patient care,” noted Filipek.

The Stryker attack decimated internal systems tied to its Microsoft environment, limiting employee access to business operations, devices, and services, leading to emergency room communication issues and delays in patient surgeries at several hospitals in the US.

“That pressure makes victims more likely to pay ransoms or rush recovery efforts, which is exactly what threat actors are counting on,” he said.

NYC Health + Hospitals is offering two years of complimentary credit monitoring and identity protection services for those affected.

---

Unlock more exclusive Cybernews content on YouTube.