New York public well being supplier NYC Well being + Hospitals says a months-long knowledge breach that allowed hackers to thieve non-public knowledge, clinical information, and fingerprints scans impacts no less than 1.8 million folks.
NYCHHC is the biggest public well being machine in the US and gives healthcare to over 1,000,000 New Yorkers, the vast majority of whom are uninsured or obtain state healthcare advantages, reminiscent of Medicaid.
The healthcare machine reported the quantity to the U.S. Division of Well being and Human Products and services, making it one of the most greatest healthcare-related knowledge breaches of the yr up to now. Healthcare organizations were time and again centered by means of financially motivated cybercriminals in recent times in efforts to thieve their huge banks of extremely delicate sufferers’ non-public, clinical, and billing knowledge.
In a knowledge breach realize on its web site, NYCHHC mentioned that it detected a cyberattack on February 2 and secured its community. The hackers had get admission to to its community from November 2025 till February 2026, all through which the hackers copied information from its methods.
The healthcare machine mentioned hackers broke because of a breach at a third-party supplier, which it didn’t identify.
NYCHHC mentioned that the uncovered knowledge varies by means of particular person and contains sufferers’ medical health insurance plan and coverage knowledge, clinical knowledge (e.g., diagnoses, medicines, exams, and imagery), billing, claims, and fee knowledge. Different government-issued identification paperwork, reminiscent of Social Safety numbers, passports, and driving force’s licenses, had been additionally compromised.
The breach realize additionally says “actual geolocation knowledge” used to be taken within the breach, suggesting that the user-uploaded footage in their identification paperwork can have additionally contained the precise location of the place the file used to be captured.
The breach is especially delicate as a result of hackers stole biometric knowledge, together with fingerprints and palm prints, which affected folks have for existence and can not change. NYCHHC didn’t give an explanation for storing biometric knowledge. Potential NYCHHC workers are normally required to sign up their fingerprints for felony information exams. It’s now not but identified if sufferers’ biometrics had been additionally taken.
NYCHHC’s web site used to be in brief offline as of Monday morning. A spokesperson for NYCHHC didn’t right away reply to an e mail from TechCrunch with questions concerning the cyberattack. TechCrunch requested, amongst different issues, why it took the group months to stumble on the breach, and if it has won any conversation from the hackers, reminiscent of a requirement for fee.
It’s now not transparent if NYCHHC can obtain e mail on the time of the web site outage.
The incident seems to be unrelated to the information breach at Nationwide Affiliation on Drug Abuse Issues (NADAP) previous this yr, during which over 5,000 NYCHHC sufferers had knowledge taken within the cyberattack.
Within the FBI’s newest annual record on cybercrime protecting 2025, healthcare remained a best goal for ransomware attackers — criminals who ruin into databases, thieve a duplicate of the information whilst scrambling the sufferer’s servers, and threaten to submit the stolen knowledge if the sufferer does now not pay the hackers. A ransomware assault on UnitedHealth-owned well being tech large Trade Healthcare allowed Russian-linked hackers to thieve the clinical and billing knowledge of greater than 190 million American citizens, believed to be the biggest robbery of U.S. clinical knowledge in historical past.
Whilst you acquire thru hyperlinks in our articles, we would possibly earn a small fee. This doesn’t impact our editorial independence.
