NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

NYC Health and Hospitals, the largest municipal healthcare system in the United States, confirmed that attackers stole personal data, medical records, and biometric information including fingerprints from at least 1.8 million patients during a significant security breach.

The stolen data includes names, addresses, Social Security numbers, insurance information, and medical histories. The biometric theft represents a particularly sensitive compromise. Fingerprints and other biometric identifiers carry permanent risk; unlike passwords or credit card numbers, patients cannot change their fingerprints if exposed.

This breach ranks among 2026's largest healthcare data compromises by volume. NYC Health and Hospitals serves roughly 1.2 million patients annually across 11 hospitals and dozens of clinics throughout New York City. The system processes payment information and maintains comprehensive medical histories for a population spanning all five boroughs.

The healthcare sector remains a top target for attackers due to the high-value nature of medical records. A single medical identity can fetch thousands of dollars on the dark web compared to credit card data. Criminals exploit stolen health information for insurance fraud, prescription drug diversion, and identity theft.

NYC Health and Hospitals has not publicly disclosed the specific attack vector or timeline of the breach. The system operates under budget constraints and aging infrastructure, common challenges for municipal healthcare providers trying to maintain security posture across complex networks.

The organization notified affected patients and indicated it would provide credit monitoring and identity theft protection services. State regulators and the federal government's HHS Office for Civil Rights typically investigate breaches of this scale, which can result in substantial fines and enforcement actions.

The incident underscores persistent vulnerabilities in healthcare IT infrastructure. Many hospital systems, particularly public providers, struggle to balance cybersecurity investments with clinical operations and patient care demands. The stolen biometric data creates long-term risk that extends beyond traditional fraud concerns into future authentication systems.