New York public well being supplier NYC Well being and Hospitals says a months-long information breach that allowed hackers to steal private information, medical data, and fingerprints scans impacts at the least 1.8 million folks.
NYCHHC is the biggest public well being system in america and supplies healthcare to over one million New Yorkers, nearly all of whom are uninsured or obtain state healthcare advantages, akin to Medicaid.
The healthcare system reported the quantity to the U.S. Division of Well being and Human Companies, making it one of many largest healthcare-related information breaches of the 12 months to this point. Healthcare organizations have been repeatedly focused by financially motivated cybercriminals in recent times in efforts to steal their huge banks of extremely delicate sufferers’ private, medical, and billing info.
In a knowledge breach discover on its web site, NYCHHC stated that it detected a cyberattack on February 2 and secured its community. The hackers had entry to its community from November 2025 till February 2026, throughout which the hackers copied information from its methods.
The healthcare system stated hackers broke because of a breach at a third-party vendor, which it didn’t identify.
NYCHHC stated that the uncovered information varies by particular person, and contains sufferers’ medical insurance plan and coverage info, medical info (akin to diagnoses, drugs, exams, and imagery), billing, claims, and fee info. Different government-issued id paperwork, akin to Social Safety numbers, passports, and driver’s licenses, have been additionally compromised.
The breach discover additionally says “exact geolocation information” was taken within the breach, suggesting that the user-uploaded pictures of their id paperwork might have additionally contained the precise location of the place the doc was captured.
The breach is especially delicate as a result of hackers stole biometric info, together with fingerprints and palm prints, which affected people have for all times and can’t substitute. NYCHHC didn’t present an evidence for storing biometric information. Potential NYCHHC staff are usually required to enroll their fingerprints for felony data checks. It’s not but identified if sufferers’ biometrics have been additionally taken.
NYCHHC’s web site was briefly offline as of Monday morning. A spokesperson for NYCHHC didn’t instantly reply to an electronic mail from TechCrunch with questions concerning the cyberattack. TechCrunch requested, amongst different issues, why it took the group months to detect the breach, and if it has acquired any communication from the hackers, akin to a requirement for fee.
It’s not clear if NYCHHC can obtain electronic mail on the time of the web site outage.
The incident seems to be unrelated to the info breach at Nationwide Affiliation on Drug Abuse Issues (NADAP) earlier this 12 months, wherein over 5,000 NYCHHC sufferers had info taken within the cyberattack.
Within the FBI’s newest annual report on cybercrime protecting 2025, healthcare remained a prime goal for ransomware attackers — criminals who break into databases, steal a replica of the info whereas scrambling the sufferer’s servers, and threaten to publish the stolen information if the sufferer doesn’t pay the hackers. A ransomware assault on UnitedHealth-owned well being tech big Change Healthcare allowed Russian-linked hackers to steal the medical and billing info of greater than 190 million People, believed to be the biggest theft of U.S. medical information in historical past.
Whenever you buy by way of hyperlinks in our articles, we might earn a small fee. This doesn’t have an effect on our editorial independence.
