NewsTosser

NYC Health Hack Exposes 1.8 Million Patients' Data Including Fingerprints

May 20, 2026 Crime

A massive cyberattack has exposed the personal data of at least 1.8 million patients. Hackers infiltrated the network of NYC Health and Hospitals (NYCHHC), the largest public health system in the United States. The intrusion began in November and continued until February before officials discovered it.

The attackers operated quietly for months, silently copying highly sensitive files from the system. Officials confirmed the breach originated from a compromised third-party vendor that granted unauthorized access. Many victims rely on Medicaid or lack private health insurance, making this event especially dangerous for vulnerable New Yorkers.

Stolen information includes medical records, payment details, and government identification numbers. The attackers also obtained fingerprint scans and palm prints that victims cannot replace. Other exposed data encompasses Social Security numbers, driver's licenses, tax IDs, and credit card numbers.

NYCHHC detected the attack on February 2 and immediately launched a full investigation. They enlisted a leading cybersecurity firm to probe the incident's scope. Additionally, the organization hired a data analytics expert to analyze the contents of the stolen files.

The breach details vary by individual but may include diagnoses, medication lists, and treatment plans. In response, the health system reset all compromised credentials and strengthened remote access controls. They also deployed new monitoring systems designed to detect future attacks.

The investigation continues.

Health officials urge anyone potentially impacted to stay alert.

They must scrutinize bank statements, benefit explanations, and credit reports for irregularities.

Victims should contact banks, insurers, and other relevant bodies immediately upon spotting suspected fraud.

Those whose online login details may be stolen must change passwords right away.

This applies to all accounts sharing the same or similar credentials.

Eligible people are encouraged to sign up for the offered identity protection services.

Officials also suggest placing a fraud alert or security freeze on credit files.

A fraud alert forces lenders to verify identity before issuing new credit.

It stays active for one year after contacting one of the three major bureaus.

Those agencies then notify the other two about the alert.

A security freeze blocks access to credit reports entirely.

This makes it much harder for thieves to open accounts in your name.

New York City Health and Hospitals Corporation states there is no fee for these measures.

However, individuals must call each credit reporting agency directly to act.

The organization reminds victims they can file a police report if targeted.

They can also seek further information from law enforcement regarding identity theft crimes.

data breachhealthcarepatient privacysecuritytechnology