NYC Health + Hospitals, the largest public health system in the United States, has confirmed a third-party vendor breach affecting approximately 1.8 million current and former patients and employees. Attackers maintained access to the network for nearly three months, exfiltrating medical records, Social Security numbers, and irreplaceable biometric data including fingerprints and palm prints.
What Happened
NYC Health + Hospitals detected suspicious activity on its computer network on February 2, 2026. Subsequent investigation determined that intruders had been inside the environment from November 25, 2025, through February 11, 2026, an eleven-week dwell time. Initial access was traced back to a security breach at one of the health system's third-party vendors, the name of which has not been publicly disclosed. The incident was reported to the U.S. Department of Health and Human Services on March 24, 2026, with the HHS OCR breach portal subsequently updated to reflect the full 1.8 million victim count.
The health system serves more than one million New Yorkers, predominantly uninsured patients covered under Medicaid and other state benefit programs, making the victim population especially vulnerable to downstream fraud and identity abuse.
What Was Taken
Files were confirmed exfiltrated from the network during the access window. The compromised data set is unusually broad and sensitive, including:
- Medical records, diagnoses, medications, and test results
- Health insurance information
- Social Security numbers and government-issued identification
- Financial account details
- Online account credentials
- Precise geolocation data
- Biometric information, including fingerprints and palm prints
The biometric exposure is the most consequential element. Unlike passwords or account numbers, fingerprints and palm prints cannot be reissued, rotated, or revoked once compromised.
Why It Matters
This is the second major data security incident connected to NYC Health + Hospitals in 2026. A separate breach at NADAP, a Care Management Agency partner providing care coordination services under the Lead Health Home program, exposed records of 5,086 patients. Notably, the NADAP breach began on November 26, 2025, one day after intruders gained access in the main incident. The clustering of intrusions at partner organizations serving the same health system within the same week is suggestive, though the health system has not publicly linked the two events.
For defenders, the brief illustrates the cascading blast radius of vendor compromise in healthcare ecosystems where dozens of partners hold privileged network access. It also raises the bar for biometric data stewardship: any system that stores immutable identifiers must treat them as crown-jewel assets.
The Attack Technique
Public details on tradecraft are limited. What is confirmed:
- Initial access was obtained through a compromised third-party vendor, not through a direct intrusion into NYC Health + Hospitals' perimeter.
- Attackers operated undetected for approximately 78 days before defenders identified suspicious activity.
- Data was staged and exfiltrated during this window prior to discovery.
The eleven-week dwell time is consistent with a financially motivated intrusion focused on bulk data theft rather than rapid ransomware deployment, though no group has publicly claimed responsibility and no extortion posting has been tied to the incident at time of writing.
What Organizations Should Do
- Audit third-party network access. Inventory every vendor with persistent connectivity into clinical or administrative systems, and validate that each connection enforces least privilege, MFA, and time-bounded scopes.
- Reduce dwell time with behavioral detection. Eleven weeks of undetected access points to gaps in lateral movement and exfiltration telemetry. Deploy or tune detections for anomalous data egress, off-hours authentication, and credential reuse across vendor accounts.
- Segment biometric and identity stores. Treat fingerprint, palm print, and other immutable identifiers as crown-jewel data. Isolate the systems that hold them, encrypt at rest with hardware-backed keys, and log every read.
- Force credential rotation on vendor access. Reset all shared credentials, API tokens, and remote access keys associated with third-party integrations, and require modern federation rather than long-lived secrets.
- Tabletop vendor compromise scenarios. Run incident response exercises that begin with "your vendor was breached" rather than "you were breached," and rehearse evidence collection across the trust boundary.
- Notify and protect downstream victims early. Where breaches affect uninsured or low-income patient populations, prioritize accessible notification channels and ensure complimentary credit and identity protection is genuinely usable, not merely offered.