NYC Health + Hospitals Breach Exposes Biometrics, Diagnoses, and Bank Details of 1.8 Million
A months-long breach via a compromised third-party vendor has exposed highly sensitive data for at least 1.8 million patients and employees, including medical records, Social Security numbers, bank details, fingerprints, and palm prints.
NYC Health + Hospitals (NYC H+H) disclosed a data breach on May 19 that has exposed the personal, medical, financial, and biometric information of at least 1.8 million individuals — making it one of the largest healthcare breaches of 2026. The unauthorized access occurred through a compromised third-party vendor and persisted from late November 2025 through February 2026, according to the notice posted by the health system.
NYC H+H detected suspicious activity on February 2, 2026, and later confirmed that an attacker had copied files containing a remarkably broad range of data. The exposed dataset includes full names, contact details, Social Security numbers, driver's license and passport numbers, taxpayer IDs, and IRS identity protection PINs. Billing records, bank account numbers, and payment card data were also taken, opening the door to direct financial theft and highly targeted social engineering.
Perhaps most alarming is the inclusion of detailed medical and biometric information. Diagnoses, medication lists, and test results could expose conditions individuals may have kept private from employers, family, or insurers, creating opportunities for blackmail, discrimination, or targeted scams. Fingerprints and palm prints — biometrics that are extremely difficult to change and can be used for lifelong identity tracking — were also compromised. As biometrics become more widely used for authentication in healthcare and beyond, their exposure represents a long-term security liability.
NYC H+H attributes the intrusion to a breach at an unnamed third-party vendor that had legitimate access to its systems. This fits a troubling pattern of supply-chain compromises in healthcare, where attackers target a vendor as an entry point to reach multiple downstream organizations. The incident was reported to the U.S. Department of Health and Human Services (HHS) on March 24, 2026.
The breach is part of a broader surge in healthcare cyberattacks. The FBI's Internet Crime Complaint Center (IC3) reported that healthcare was the most targeted critical infrastructure sector for ransomware in 2025, with 460 ransomware incidents and 182 reported healthcare data breaches. The Change Healthcare ransomware attack alone exposed medical and billing data for more than 190 million Americans, demonstrating the cascading impact of a single compromised intermediary.
NYC H+H is offering identity theft prevention and mitigation services, including 24 months of credit monitoring through Kroll Information Assurance, to all individuals who have worked for or been a patient of the system. The health system has posted a detailed data breach notice on its website with instructions for affected individuals.
As healthcare data becomes a prime target for cybercriminals, breaches involving biometric and detailed medical records pose unique risks. Unlike credit cards or passwords, medical identities can be used for years to commit fraud, obtain prescription drugs, or file false insurance claims. The NYC H+H incident underscores the urgent need for healthcare organizations to scrutinize third-party vendor access and adopt stronger data segmentation and monitoring strategies.
NYC Health + Hospitals has now officially notified the U.S. Department of Health and Human Services that the breach affects 1.8 million individuals, confirming the scale of the incident first disclosed in March. The compromised data includes biometric information such as fingerprints and palm prints, which security experts note cannot be reset like passwords, posing a permanent identity risk to affected patients. The incident underscores growing supply-chain vulnerabilities in healthcare, as the breach originated from an unnamed third-party vendor.