NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

NYC Health + Hospitals, which serves roughly 1.3 million patients annually across the city's public hospital network, disclosed a significant data breach affecting at least 1.8 million people. Hackers accessed personal information, medical records, and biometric data including fingerprints during the intrusion.

The breach ranks among the largest recorded breaches of 2026, exposing the vulnerability of public healthcare infrastructure to sophisticated cyber attacks. The stolen biometric data presents particular concern because fingerprints cannot be changed like passwords or credit card numbers. Attackers could potentially use this information for identity fraud, unauthorized access to secure facilities, or sale on dark web marketplaces.

NYC Health + Hospitals operates 11 acute care hospitals and dozens of clinics serving low-income New Yorkers. The system has struggled with IT infrastructure investment for years, making it a potentially attractive target for ransomware groups and state-sponsored actors. The breach notification comes as healthcare organizations nationwide face escalating ransomware campaigns, with criminals increasingly demanding payment before releasing stolen patient data.

The health system has not disclosed the attack vector or timeline, though forensics investigations typically take weeks to complete. Patient notification letters began going out to affected individuals. NYC Health + Hospitals is offering two years of free credit monitoring and identity theft protection services to breach victims.

This incident highlights the cybersecurity challenges facing public healthcare systems that operate with constrained budgets while managing massive patient populations and sensitive data. Hospitals nationwide have become prime targets because patient data commands premium prices on black markets and attackers know hospitals often pay ransoms quickly to restore critical services. The exposure of biometric data adds another layer of severity, as this information cannot be easily remediated like traditional personally identifiable information.

Healthcare sector attacks have accelerated in recent years, with the U.S. Department of Health and Human Services warning about increased targeting of hospital networks. NYC Health +