NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

New York nationalist wellness supplier NYC Health and Hospitals says a months-long information breach that allowed hackers to bargain idiosyncratic data, aesculapian records, and fingerprints scans affects astatine slightest 1.8 cardinal people.

NYCHHC is the largest nationalist wellness strategy successful the United States and provides healthcare to over a cardinal New Yorkers, the bulk of whom are uninsured oregon person authorities healthcare benefits, specified arsenic Medicaid.

The healthcare strategy reported the fig to the U.S. Department of Health and Human Services, making it 1 of the largest healthcare-related information breaches of the twelvemonth truthful far. Healthcare organizations person been repeatedly targeted by financially motivated cybercriminals successful caller years successful efforts to bargain their immense banks of highly delicate patients’ personal, medical, and billing information.

In a information breach announcement connected its website, NYCHHC said that it detected a cyberattack connected February 2 and secured its network. The hackers had entree to its web from November 2025 until February 2026, during which the hackers copied files from its systems.

The healthcare strategy said hackers broke owed to a breach astatine a third-party vendor, which it did not name.

NYCHHC said that the exposed information varies by individual, and includes patients’ wellness security program and argumentation information, aesculapian accusation (such arsenic diagnoses, medications, tests, and imagery), billing, claims, and outgo information. Other government-issued individuality documents, specified arsenic Social Security numbers, passports, and driver’s licenses, were besides compromised.

The breach announcement besides says “precise geolocation data” was taken successful the breach, suggesting that the user-uploaded photos of their individuality documents whitethorn person besides contained the nonstop determination of wherever the papers was captured.

The breach is peculiarly delicate due to the fact that hackers stole biometric information, including fingerprints and thenar prints, which affected individuals person for beingness and cannot replace. NYCHHC did not supply an mentation for storing biometric data. Prospective NYCHHC employees are mostly required to enroll their fingerprints for transgression records checks. It’s not yet known if patients’ biometrics were besides taken.

NYCHHC’s website was concisely offline arsenic of Monday morning. A spokesperson for NYCHHC did not instantly respond to an email from TechCrunch with questions astir the cyberattack. TechCrunch asked, among different things, wherefore it took the enactment months to observe the breach, and if it has received immoderate connection from the hackers, specified arsenic a request for payment.

It’s not wide if NYCHHC tin person email astatine the clip of the website outage.

The incidental appears to beryllium unrelated to the information breach astatine National Association connected Drug Abuse Problems (NADAP) earlier this year, successful which implicit 5,000 NYCHHC patients had accusation taken successful the cyberattack.

In the FBI’s latest annual study connected cybercrime covering 2025, healthcare remained a apical people for ransomware attackers — criminals who interruption into databases, bargain a transcript of the information portion scrambling the victim’s servers, and endanger to people the stolen information if the unfortunate does not wage the hackers. A ransomware onslaught connected UnitedHealth-owned wellness tech elephantine Change Healthcare allowed Russian-linked hackers to bargain the aesculapian and billing accusation of much than 190 cardinal Americans, believed to beryllium the largest theft of U.S. aesculapian information successful history.