A major data breach has compromised the personal information of at least 1.8 million patients.
NYC Health and Hospitals (NYCHHC), the largest public health system in the US, said it detected a cyberattack on February 2.
An investigation found that an unauthorized individual gained access to NYCHHC systems between November 25, 2025 and February 11, 2026, during which time files were copied from the network.
Cybercriminals copied files from the system, including personal data, medical records, payment information and fingerprint scans.
‘Although the investigation is ongoing, it appears that the unauthorized actor may have gained access to NYC Health + Hospitals systems due to a security breach at a third-party vendor,’ NYCHHC shared in a statement.
The healthcare network serves more than one million residents across New York City, many of whom rely on Medicaid or lack health insurance altogether.
NYCHHC said it has since strengthened security across its network in an effort to prevent another cyberattack.
It also reset compromised account credentials, added new detection and protection tools, tightened remote access policies and introduced enhanced monitoring designed to identify the tactics allegedly used by the hackers.
NYC Health and Hospitals (NYCHHC), the largest public health system in the US, said it detected a cyberattack on February 2, finding hackers accessed its network from November 2025 until February 2026
According to the announcement, the stolen information varies by person, but may include health insurance details, medical records, diagnoses, medications, test results and treatment plans.
Hackers may also have accessed highly sensitive biometric data such as fingerprints and palm prints, along with billing and payment information.
The breach also exposed biometric data, including fingerprints and palm prints.
Other compromised information may include Social Security numbers, driver’s license numbers, taxpayer identification numbers, IRS-issued identity protection numbers, precise geolocation data, credit and debit card numbers, financial account details and online account credentials.
‘Upon discovering the incident, NYC Health + Hospitals immediately launched a thorough investigation with the support of a leading cybersecurity firm, said NYCHHC.
‘NYC Health + Hospitals also engaged a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization. The investigation is ongoing.’
The health provider urged potentially affected individuals to remain vigilant by closely monitoring account statements, explanation-of-benefits documents and credit reports for any suspicious activity.
The health system also advised victims to report suspected fraud or identity theft immediately to financial institutions, insurers or other relevant organizations.
Read More
EXCLUSIVE The ‘affair mode’ phone settings that all cheaters use: I knew my partner was up to something… here’s how I cracked his secret code and uncovered all his dirty antics
Officials recommended that anyone whose online account credentials may have been compromised should immediately change passwords for affected accounts, as well as any other accounts using the same or similar login information.
Eligible individuals were also encouraged to enroll in the identity protection services being offered following the breach.
The health provider further advised victims to consider placing a fraud alert or security freeze on their credit files.
A fraud alert requires creditors to take additional steps to verify a person’s identity before opening new lines of credit and remains active for one year after contacting one of the three major credit reporting agencies, which then alerts the other two.
A security freeze, meanwhile, restricts access to a person’s credit report, making it more difficult for identity thieves to open accounts in their name.
NYCHHC noted there is no cost to place, temporarily lift or permanently remove a security freeze, but individuals must contact each credit reporting agency directly.
The organization also reminded victims that they have the right to file a police report if they believe they were targeted by identity theft and can seek additional information from law enforcement about identity theft crimes.
