NYC Health + Hospitals (NYC H+H) posted a data breach notice about a months‑long breach via a third‑party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, including medical records, government IDs, geolocation data, and even fingerprint and palm‑print biometrics.
NYC H+H detected suspicious activity on February 2, 2026, and later confirmed that an unauthorized actor had access to parts of its network from roughly late November 2025 through February 2026.
During this window, attackers copied files containing personal, medical, financial, and biometric information. The incident was reported to the US Department of Health and Human Services (HHS) on March 24, 2026, and currently affects at least 1.8 million individuals, making it one of the largest healthcare breaches of 2026 so far.
New York City Health and Hospitals Corporation (“NYC Health + Hospitals”) is posting this notice to inform affected individuals about a data security incident that may have affected some of their personal information and/or protected health information, and to provide details about what happened, what information may have been involved, what NYC Health + Hospitals is doing in response, and what resources are available to individuals whose information may have been impacted. NYC Health + Hospitals is providing this notice in accordance with HIPAA regulations, including 45 CFR § 164.404(d)(2). Where required by applicable law, NYC Health + Hospitals is also providing email notice when available and notice to certain major statewide media in print and broadcast.
This notice will remain posted on the home page of NYC Health + Hospitals website through June 23, 2026. Our dedicated toll-free response line, (844) 403-4518, will remain active at least until June 23, 2026 so that individuals can learn whether their information might have been impacted by the incident.
