NYC Health + Hospitals said a cyberattack that compromised its systems for several months exposed personal, medical, financial, and biometric information belonging to at least 1.8 million people, making it one of the largest healthcare-related data breaches reported in the United States this year.
The public healthcare provider disclosed the figure to the U.S. Department of Health and Human Services.
NYC Health + Hospitals is the largest public health system in the United States and provides healthcare services to more than one million New Yorkers, many of whom are uninsured or receive public healthcare assistance such as Medicaid.
According to a breach notification published by the organization, hackers gained access to the healthcare system’s network through a compromised third-party vendor.
The organization said attackers remained inside its systems from November 2025 until February 2026 and copied files containing sensitive information during that period.
NYC Health + Hospitals said it detected the intrusion on February 2 and subsequently secured its network.
The organization did not identify the third-party vendor involved in the breach.
Medical, Financial, Identity, And Biometric Data Was Exposed
The healthcare provider said the compromised information varies between affected individuals.
Exposed data includes health insurance details, medical records, diagnoses, medications, test results, medical imagery, billing records, claims information, and payment data.
The breach also affected government-issued identity documents and personal identifiers, including Social Security numbers, passports, and driver’s license information.
NYC Health + Hospitals additionally said “precise geolocation data” was taken during the attack, indicating that uploaded identity document photos may have contained embedded location metadata showing where the images were captured.
The breach is considered particularly sensitive because attackers also obtained biometric information, including fingerprints and palm prints.
Unlike passwords or account credentials, biometric identifiers cannot easily be changed or replaced after exposure.
NYC Health + Hospitals did not explain why biometric information was stored within the affected systems.
The organization noted that prospective employees are commonly required to submit fingerprints for criminal background checks, though it remains unclear whether patient biometric data was also compromised.
Organization Faces Questions Over Delayed Detection
As of Monday morning, the healthcare provider’s website was briefly offline.
A spokesperson for NYC Health + Hospitals did not immediately respond to questions from TechCrunch regarding the attack.
TechCrunch asked why the intrusion remained undetected for months and whether the organization had received communication from the attackers, including ransom demands.
It was also unclear whether the organization could receive emails while portions of its website were unavailable.
The incident does not appear connected to a separate breach earlier this year involving the National Association on Drug Abuse Problems, which affected information belonging to more than 5,000 NYC Health + Hospitals patients.
Healthcare Sector Remains Major Cybercrime Target
Healthcare organizations continue to face frequent attacks from financially motivated cybercriminal groups seeking large collections of medical and personal data.
According to the FBI’s annual cybercrime report covering 2025, healthcare remained one of the primary targets for ransomware attacks.
Ransomware groups typically steal sensitive information while encrypting organizational systems and then demand payment to prevent publication of the stolen data.
One of the largest healthcare cyberattacks in U.S. history affected Change Healthcare, owned by UnitedHealth Group, where Russian-linked hackers stole medical and billing information tied to more than 190 million Americans.
Featured image credits: nycofficecleaners.com
For more stories like it, click the +Follow button at the top of this page to follow us.