Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 27, 2026 · 6 min read

NYC Health + Hospitals, the Largest US Public Health System, Says an Unauthorized Actor Sat Inside Its Network From Late November 2025 to February 2, 2026 and Copied the Personal, Medical, Financial, and Biometric Data—Including Fingerprints and Palm Prints—of at Least 1.8 Million People

NYC Health + Hospitals detected suspicious activity on February 2, 2026 and later confirmed that an intruder had access to parts of its network from roughly late November 2025 through that detection date. The actor copied files containing names, Social Security numbers, government IDs, geolocation data, diagnoses, bank and card details, and biometric records that include fingerprint and palm print scans. The system reported the incident to federal regulators on March 24, 2026 and is offering 24 months of credit monitoring through Kroll. A driver's license can be reissued. A fingerprint cannot.

An editorial photograph of a quiet hospital corridor with a wall mounted biometric fingerprint scanner glowing faintly in muted clinical indigo light, shallow depth of field, evoking exposed patient records

Key Takeaways

  • NYC Health + Hospitals, the largest public health system in the United States, disclosed that an unauthorized actor accessed its network from late November 2025 until detection on February 2, 2026 and exfiltrated data on at least 1.8 million people.
  • The stolen data spans four categories that almost never appear together in a single breach: personal identifiers, full medical records, financial account details, and biometric records that include fingerprint and palm print scans.
  • Biometrics are the part that cannot be undone. A bank can issue a new card number and a state can issue a new license number, but a fingerprint and a palm print stay with a person for life and cannot be reset.
  • The system attributes the intrusion to a compromise at an unnamed third party vendor that had network access, the same supply chain pattern behind a string of recent hospital breaches.
  • Healthcare was the single most targeted critical infrastructure sector for ransomware in 2025, with the FBI Internet Crime Complaint Center logging 460 healthcare ransomware incidents that year.

What Was Stolen?

The actor copied four overlapping categories of sensitive data, and the breadth is what makes this incident unusual. Most healthcare breaches expose one or two of these categories. This one exposed all four.

The personal identifiers include full names, dates of birth, addresses, Social Security numbers, driver's license and passport numbers, taxpayer identification numbers, IRS identity protection PINs, and precise geolocation data. The medical category includes medical record numbers, diagnoses, medication lists, test results, images, treatment plans, and health insurance and claims data, along with Medicaid and Medicare government ID numbers. The financial category includes billing and payment records, credit and debit card numbers, and bank account information. The fourth category is biometric data: fingerprint and palm print scans tied to named individuals.

Taken together, a single stolen record can contain enough to open accounts, file fraudulent tax returns, impersonate a patient to an insurer, and reconstruct a person's medical history. The geolocation data adds a physical movement dimension that most identity theft kits never include. NYC Health + Hospitals reported the incident to the US Department of Health and Human Services on March 24, 2026 and is offering affected individuals 24 months of free identity theft prevention and credit monitoring through Kroll Information Assurance.

Why Are Stolen Biometrics Worse Than a Stolen Password?

Because a biometric cannot be revoked, rotated, or reissued the way a credential can. When a password leaks you change it. When a card number leaks the bank cancels it and mails a new one. When a fingerprint or palm print leaks there is no equivalent action, because the credential is your body.

Security researchers covering the breach made the point bluntly: biometrics tend to stay with a person for life and are not easy to erase or replace, which turns any compromised biometric database into a long term liability rather than a one time incident. The window of exposure for a leaked password is the time until you change it. The window for a leaked fingerprint is the rest of your life.

The downstream risk is not abstract. Biometrics increasingly gate access to phones, banking apps, building entry systems, and government services. A fingerprint template sitting in a criminal data set today can be matched against future authentication systems for decades. It can also be used to seed convincing synthetic identities, because a biometric paired with a real Social Security number and a real address is far harder for a fraud detection system to flag as fake. This is the structural reason privacy advocates argue against collecting biometrics at all unless the use case is unavoidable: the data outlives every protection placed around it.

How Long Was the Attacker Inside?

Roughly ten weeks, from late November 2025 until detection on February 2, 2026. That dwell time is the part of the timeline that matters most for the people whose records were taken.

Dwell time is the interval between an attacker gaining access and a defender noticing. A longer dwell time means more time to map the network, locate the most valuable data stores, and copy files out without tripping an alarm. Ten weeks is enough to identify and exfiltrate exactly the kind of consolidated record set described above, rather than grabbing whatever was nearest the entry point. The breadth of categories stolen is consistent with an actor who had time to look around.

The pattern echoes other recent intrusions into hospital networks. In a separate incident, the Qilin group sat inside a regional hospital network for about a week and walked out with hundreds of thousands of patient records, as covered in the Covenant Health Qilin ransomware breach. NYC Health + Hospitals attributes its own intrusion to a compromise at an unnamed third party vendor that had access to its systems, a supply chain entry point that bypasses much of the perimeter hardening a hospital invests in directly.

Why Is Healthcare Such a Frequent Target?

Because hospitals combine the highest value data with the lowest tolerance for downtime, which is precisely the profile extortion crews look for. A patient record is worth more than a stolen card on criminal markets, and a hospital under operational pressure is more likely to pay quickly.

The numbers bear this out. The FBI Internet Crime Complaint Center named healthcare and public health the most targeted critical infrastructure sector in 2025, recording 460 ransomware incidents and 182 data breaches against the sector across the year, more than any of the other fifteen critical infrastructure categories. The reasoning attackers apply is straightforward: sectors that cannot tolerate disruption to operations, where lives depend on systems staying online, face the most pressure to pay a ransom fast.

The exposure is widened by how much patient data now flows to third parties and outside systems. Beyond classic intrusions, hospitals have leaked patient information through web technologies embedded in their own portals, a problem documented in the Rutgers study finding tracking code on a large share of hospital websites and in the wave of hospital data settlements reaching into the hundreds of millions of dollars. Every vendor and integration is another potential entry point, and the NYC Health + Hospitals breach reportedly started at exactly such a vendor.

What Should Affected Patients Do?

Treat this as a permanent change to your risk profile rather than a single event that passes, because the biometric and Social Security components do not expire. Take the standard identity protection steps, and then take the extra ones that the biometric exposure makes necessary.

  • Enroll in the offered monitoring and place a credit freeze. Accept the 24 months of Kroll monitoring, then freeze your files at all three credit bureaus. A freeze is free, stronger than monitoring, and blocks new accounts from being opened in your name.
  • Request an IRS Identity Protection PIN if you do not already have one. Because taxpayer IDs and existing IP PINs were among the stolen fields, get a fresh PIN to block fraudulent tax filings.
  • Move away from fingerprint and palm based authentication where you can. For high value accounts, prefer a hardware security key or an authenticator app over a fingerprint. The leaked biometric raises the long term risk of any system that trusts that fingerprint.
  • Stay alert to medical identity theft. Review explanation of benefits statements from your insurer for care you did not receive, and report anything unfamiliar, since the stolen medical and insurance data enables fraud that credit monitoring will not catch.
  • Be skeptical of follow on contact. Criminals holding your name, diagnosis, and provider can craft highly convincing calls and messages. Verify any contact claiming to be from the hospital or your insurer through a number you look up independently.

There is no action that undoes the loss of a fingerprint, which is the uncomfortable core of this breach. The practical response is to harden everything that can still be changed and to assume the biometric data is now permanently outside your control.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.