A major data breach has compromised the personal information of at least 1.8 million patients.
Hackers spent months inside the healthcare network between November 2025 and February 2026, quietly copying highly sensitive files from its systems before the intrusion was discovered.
The stolen data reportedly includes medical records, payment information, government identification numbers and even fingerprint scans that victims cannot replace.
Officials later revealed the attack targeted NYC Health and Hospitals (NYCHHC), the largest public health system in the US, which serves more than one million New Yorkers.
According to the organization, the breach appears to have originated through a compromised third-party vendor that gave the unauthorized actor access to its systems.
Many of the affected patients rely on Medicaid or do not have health insurance, making the breach particularly alarming for vulnerable New Yorkers dependent on the public healthcare network.
NYCHHC said it has since reset compromised credentials, strengthened remote access controls and deployed new monitoring systems designed to detect future attacks.
The organization warned that the stolen information varies by individual, but may include health insurance details, diagnoses, medications, treatment plans and other sensitive medical data.
NYC Health and Hospitals (NYCHHC), the largest public health system in the US, said it detected a cyberattack on February 2, finding hackers accessed its network from November 2025 until February 2026
Hackers may also have accessed highly sensitive biometric data such as fingerprints and palm prints, along with billing and payment information.
The breach also exposed biometric data, including fingerprints and palm prints.
Other compromised information may include Social Security numbers, driver’s license numbers, taxpayer identification numbers, IRS-issued identity protection numbers, precise geolocation data, credit and debit card numbers, financial account details and online account credentials.
‘Upon discovering the incident, NYC Health + Hospitals immediately launched a thorough investigation with the support of a leading cybersecurity firm, said NYCHHC.
‘NYC Health + Hospitals also engaged a leading data analytics firm to analyze the contents of the data that may have been accessed without authorization. The investigation is ongoing.’
The health provider urged potentially affected individuals to remain vigilant by closely monitoring account statements, explanation-of-benefits documents and credit reports for any suspicious activity.
The health system also advised victims to report suspected fraud or identity theft immediately to financial institutions, insurers or other relevant organizations.
Officials recommended that anyone whose online account credentials may have been compromised should immediately change passwords for affected accounts, as well as any other accounts using the same or similar login information.
Eligible individuals were also encouraged to enroll in the identity protection services being offered following the breach.
The health provider further advised victims to consider placing a fraud alert or security freeze on their credit files.
A fraud alert requires creditors to take additional steps to verify a person’s identity before opening new lines of credit and remains active for one year after contacting one of the three major credit reporting agencies, which then alerts the other two.
A security freeze, meanwhile, restricts access to a person’s credit report, making it more difficult for identity thieves to open accounts in their name.
NYCHHC noted there is no cost to place, temporarily lift or permanently remove a security freeze, but individuals must contact each credit reporting agency directly.
The organization also reminded victims that they have the right to file a police report if they believe they were targeted by identity theft and can seek additional information from law enforcement about identity theft crimes.
