NYC Health + Hospitals, the largest public healthcare system in the United States, has disclosed a major data breach impacting at least 1.8 million individuals after attackers reportedly maintained access to its network for several months.
The healthcare provider said the intrusion was discovered on February 2, 2026, but investigators later determined unauthorized access had allegedly existed since November 2025.
According to a public breach notice, attackers copied files containing highly sensitive patient and employee information during the intrusion.
The organization attributed the compromise to a breach involving a third-party vendor, though it did not publicly identify the vendor involved.
NYC Health + Hospitals disclosed the incident to the U.S. Department of Health and Human Services, making it one of the largest healthcare-related breaches reported so far this year.
Medical records and biometric data allegedly exposed
The exposed information reportedly varies by individual but may include medical records, diagnoses, treatment information, insurance details, billing and payment records, and government-issued identification documents such as Social Security numbers, passports, and driver’s licenses.
The breach disclosure also stated that biometric data including fingerprints and palm prints may have been compromised during the incident.
That aspect of the breach significantly raises the long-term risk for affected individuals because biometric identifiers cannot easily be changed or replaced once exposed.
The notice further referenced the theft of precise geolocation data, potentially tied to uploaded identity verification documents or mobile device metadata.
It remains unclear whether the compromised biometric records primarily belonged to employees, patients, or both.
Healthcare sector continues facing sustained attacks
Healthcare organizations remain one of the most heavily targeted sectors for cyberattacks due to the enormous volume of sensitive personal, medical, and insurance information they maintain.
Large healthcare systems are especially attractive targets because attackers can potentially gain access to millions of patient records through a single compromise involving centralized systems or third-party vendors.
The incident also highlights the growing risks associated with vendor-related intrusions, where attackers compromise external providers connected to healthcare networks rather than breaching hospitals directly.
The disclosure follows a wave of major healthcare cyberattacks over the past several years, including the massive Change Healthcare breach that reportedly exposed the medical and billing information of more than 190 million Americans.
At time of publication, NYC Health + Hospitals had not publicly identified the threat actor responsible for the intrusion or disclosed whether extortion demands were received.
Individuals potentially affected by the breach are being advised to monitor financial accounts, healthcare statements, insurance activity, and suspicious communications referencing medical services or identity verification requests.
Earlier this year, BreachNews also covered the growing wave of healthcare-related data breaches affecting U.S. organizations.
