NYC Health + Hospitals (NYC H+H) disclosed a months‑long breach via a third‑party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, including medical records, government IDs, geolocation data, and even biometric data such as fingerprints and palm‑prints. NYC H+H detected suspicious activity on 2 February 2026 and later confirmed that an unauthorized actor accessed parts of its network from roughly late November 2025 through February 2026.
The incident was reported to the US Department of Health and Human Services on 24 March 2026 and currently affects at least 1.8 million individuals, marking it as one of the larger healthcare breaches in 2026 so far. NYC H+H attributes the intrusion to a breach at an unnamed third‑party vendor that had access to its systems, fitting the pattern of supply‑chain compromises.
The exposed data comprises three layers: classical PII, medical and insurance data, and biometrics, with the latter considered as sensitive as medical history and likely to stay with individuals for life. The article notes that such breaches can fuel long‑term fraud and privacy loss, and it highlights the need for identity monitoring and other protective steps.