Data breach on New York public health system claims 1.8M victims, leaking biometric data to hackers
The largest public health system in the U.S. confirmed in a filing with the Department of Health and Human Services that a data breach on its network impacted 1.8 million patients, exposing their personal data to hackers.
The data breach, which was said to have lasted for months, was revealed by NYC Health + Hospitals in March. At the time, the health system said it first discovered "suspicious activity” on its network in February, at which time it moved to “immediately” secure its systems from access by the unauthorized third-party.
An investigation found cybercriminals had been inside its IT infrastructure since November 2025, stemming from a breach on an unnamed vendor the organization contracts with for services.
NYC Health serves over one million residents of New York, operating as a safety-net health system. Most of its clients are on Medicaid or receive some kind of state benefits.
At a now confirmed 1.8 million victims, the data breach is one of the largest on record for 2026 so far.
Personal data taken by hackers includes medical records, personal contact information, and fingerprint scans of victims who received care through NYC Health. This also includes health insurance information, billing details and payment information.
The health system confirmed Social Security numbers and photos of IDs such as driver’s licenses and passports were also compromised.
It's unusual for a data breach to include biometric data such as fingerprint and palm scans, suggesting hackers had broad access to the health system’s network. The vector of attack, and how it was discovered, remain unknown.
In its statement, the group also confirmed “precise geolocation data” was taken from patients, linked to uploaded photos and medical documents—this would include IP addresses obtained from patient logins through a portal.
Victims are being offered credit monitoring and identity theft protection for the next 24 months at no cost, applied retroactively to any employee or patient who interacted with any NYC Health entity since 2020.
The protection implies that it was staff, too, who may have had their data taken during the attack.
HealthExec reached out to NYC Health for more information on what precisely was taken and what risks it may pose to patients and workers.
Care management organization also attacked
In March, NYC Health released a separate notice about how a data breach on the National Association on Drug Abuse Programs (NADAP) exposed 5,086 patient records.
NADAP is a care management group that works with the state of New York’s healthcare programs—including the same Medicaid patients who patronize NYC Health—to provide options for substance abuse mitigation.
Given the overlapping timeframe, it’s not clear if this is a related breach or a coincidence. HealthExec also asked NYC Health for clarity on this incident.
An attempt to contact NADAP in March was unsuccessful. The data breach on its network was said to be discovered in January.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.