AI-POWERED NEWS

30+ sources. Zero spin.

Cross-referenced, unbiased news. Both sides of every story.

← Back to headlines
us health Major Story (7/10) May 18, 2026 at 08:25 PM

NYC's Largest Public Hospital System Leaked Medical Records, Fingerprints, and Social Security Numbers of 1.8 Million People — For Three Months

NYC's Largest Public Hospital System Leaked Medical Records, Fingerprints, and Social Security Numbers of 1.8 Million People — For Three Months
NYC Health + Hospitals sat quietly while hackers roamed its network from November 2025 through February 2026, stealing the most sensitive data imaginable from 1.8 million people — most of them uninsured or on Medicaid. Fingerprints. Medical records. SSNs. Geolocation data. The kind of data you can never take back. And the public is only hearing about it now.

Hackers Had a Three-Month All-Access Pass

NYC Health + Hospitals (NYCHHC) — the largest public health system in the United States — confirmed a massive data breach affecting at least 1.8 million people, according to TechCrunch.

Hackers were inside the network from November 2025 until February 2, 2026. Three full months. NYCHHC says it detected the attack on February 2nd and "secured its network." What that means in practice: the damage was already done.

The system formally reported the breach to the U.S. Department of Health and Human Services, joining the list of major healthcare data breaches reported this year.

What Got Stolen

This wasn't just email addresses and phone numbers. According to NYCHHC's own breach notice, the stolen data includes:

  • Health insurance plan and policy information
  • Medical records — diagnoses, medications, test results, imaging
  • Billing, claims, and payment information
  • Social Security numbers
  • Passports and driver's licenses
  • Precise geolocation data
  • Biometric data — fingerprints and palm prints

Biometric data presents a particular problem. Your password gets compromised, you change it. Your credit card number leaks, you get a new card. Your fingerprints are permanent. There is no replacing them.

TechCrunch noted that NYCHHC offered no explanation for why it was storing biometric data in the first place. Prospective employees are generally required to submit fingerprints for criminal background checks — but whether patient biometrics were also caught up in this breach remains unclear. NYCHHC has not answered that question.

A Third-Party Vendor Did This — And We Don't Know Who

NYCHHC admitted the breach originated through a third-party vendor. They refused to name the vendor, according to TechCrunch.

This is a pattern the healthcare industry keeps repeating. A massive institution outsources critical functions to a contractor. The contractor gets breached. Millions of patients pay the price. And the institution shields the contractor's identity from the public.

The people whose data was stolen deserve to know which vendor failed them. NYCHHC has not disclosed this information.

Who Gets Hurt Here

NYCHHC serves over one million New Yorkers, the majority of whom are uninsured or on Medicaid, according to both TechCrunch and Firstpost. These are low-income patients who went to a public hospital because they had no other option.

They gave the city's healthcare system the most intimate details of their lives — their diagnoses, their medications, their bodies. Now that data is in the hands of criminals.

The Questions Nobody Is Answering

TechCrunch sent NYCHHC a list of direct questions: Why did it take months to detect the breach? Has NYCHHC received a ransom demand? As of Monday morning, NYCHHC's website was briefly offline — meaning they may not have been receiving email when the questions were sent.

No spokesperson responded.

The mainstream coverage from outlets like the Daily Mail and Firstpost largely recapped the basic facts without pressing on the hard questions. The following remain unanswered:

  • Which vendor was responsible?
  • Why was biometric data stored in a system connected to a third-party network?
  • Was there a ransom paid?
  • What cybersecurity standards was NYCHHC required to meet?
  • Who at the city level is accountable for this?

New York City's public hospital system is funded by taxpayer dollars. City, state, and federal money flows into NYCHHC. The people running it answer to the public. So far, they have provided no public accounting.

Government Accountability

Healthcare data breaches are now routine in America. Cybercriminals have turned hospitals into targets for stolen personal data. But NYCHHC isn't a private hospital system — it's a government-run institution. Every failure here reflects on government oversight.

The bureaucracy responsible for securing vendor contracts is also responsible for protecting the fingerprints of 1.8 million people. Three months of unauthorized access. Biometrics stolen. Social Security numbers gone. The public found out months after the attackers accessed the system.

If a private hospital let hackers sit in its systems for 90 days and then refused to name the vendor responsible, regulators would have demanded answers. The New York City government owes its residents — especially the uninsured and low-income patients who had no other choice — a full accounting of what happened and why.

Sources

center-left TechCrunch NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
unknown dailymail Medical records of 1.8 million stolen in attack on largest US public health provider | Daily Mail Online
unknown firstpost NYC Health + Hospitals says hackers stole medical data and fingerprints in breach affecting nearly 1.8 million people – Firstpost
unknown nationaltoday NYC Health Hospitals Hit by Data Breach, Exposing Patient Info - NYC Today