Overview
- NYC Health + Hospitals, which serves more than a million New Yorkers, says hackers stole medical records, identity data, and fingerprint and palm-print scans affecting at least 1.8 million people.
- The attackers entered through a compromised third-party vendor and kept access from November 2025 to February 2026 before the breach was detected on February 2.
- The exposed data varies by person and can include diagnoses, medications, insurance details, billing and claims data, Social Security and driver’s license numbers, and passport information.
- The breach notice also cites precise geolocation data, which can be stored with photos of identity documents, raising added risks for long-term privacy and fraud.
- The health system says it reset credentials, tightened remote access, deployed new monitoring, and hired outside cybersecurity and data analytics firms, while HHS’s breach tracker shows wider sector incidents but with some counts likely to be corrected.