NYC Health and Hospitals (NYCHHC), the largest public healthcare system in the US, disclosed a data breach affecting at least 1.8 million people. Hackers accessed the network from November 2025 to February 2026 via a compromised third-party vendor, stealing medical records, Social Security numbers, passport details, billing data, precise geolocation data, and biometric information including fingerprints and palm prints. The theft of biometric data is especially alarming because, unlike passwords or SSNs, fingerprints cannot be revoked or reissued. The breach follows a familiar pattern of supply-chain attacks on healthcare vendors, similar to the 2024 Change Healthcare ransomware incident. The affected population is disproportionately low-income and immigrant, limiting their ability to respond to identity theft. Healthcare remains the most expensive sector for breach containment, averaging $7.42 million per incident in 2025.
Table of contents
The biometric problemA third-party vendor breachWho is affectedThe healthcare cybersecurity crisisSort: