NYC Health + Hospitals has confirmed the theft of medical data, clinical records, and biometric data of at least 1.8 million people in the United States following an undetected access to its network that lasted 76 days, between November 25, 2025, and February 2, 2026.
The breach affects particularly sensitive and difficult-to-replace information. Along with diagnoses, prescribed medication, or health insurance data, the attackers obtained fingerprints and palm prints, a type of data that cannot be changed if exposed and which aggravates the impact for the biometric authentication systems of those affected.
Attackers maintained access for 76 days undetected
The healthcare system notified the U.S. Department of Health and Human Services of the incident and published the official notice on its website on March 24, 2026. In that statement, it indicated that the case may be related to a security issue affecting a third-party vendor.
"The incident may be related to a security incident involving a third-party vendor" - NYC Health + Hospitals, official statement
During that period, intruders accessed a large volume of personal and financial information. The list includes Social Security numbers, driver's licenses, tax identification numbers, credit and debit cards, bank accounts, access credentials, and precise geolocation data.
In addition to administrative information, the intrusion reached high-value clinical data in the criminal market. The FBI's 2025 annual report on cybercrime places the healthcare sector as the primary target of ransomware attacks due to the difficulty of disconnecting critical systems and the value of medical records.
Stolen fingerprints add a permanent risk for those affected
The exposure of biometric data introduces a different problem than that of a password or a bank card. A fingerprint or palm print cannot be replaced, so the leak leaves a lasting vulnerability for any system that uses that form of identification.
In parallel, the increase in connected technology in hospitals expands the exposure surface. The FDA approved more than 900 medical devices with artificial intelligence in 2026, a growth that adds new potential entry points in environments where service continuity is critical.
NYC Health + Hospitals has launched a toll-free hotline for those affected and has hired a cybersecurity firm and a data analytics firm to manage the crisis. It has also incorporated additional detection and protection tools into its infrastructure.
The scope of the case is known two years after another precedent of great magnitude in the United States. The attack against Change Healthcare in 2024, attributed to the ALPHV BlackCat group, compromised the information of more than 190 million Americans and remains the largest healthcare breach recorded in the country.
The hotline enabled for those affected operates at 844-403-4518, Monday through Friday between 9:00 AM and 6:30 PM Eastern Time, and its availability is guaranteed at least until June 23, 2026.