New York City Health and Hospitals (NYCHH) has confirmed that a months-long computer network compromise incident resulted in medical, financial, personal and biometric data being copied by an unauthorized actor. The breach, affecting at least 1.8 million people, is the latest and largest in a long series of attacks against medical institutions’ information systems.
“The scale of the system, combined with the types of data it holds, makes the breach especially consequential. Healthcare providers routinely maintain a dense mix of clinical, insurance, billing, identity, and employment records, which can be highly valuable to financially motivated cybercriminals,” Biometric Update said Monday.
In addition to the confidential medical and financial information, NYCHH said the breach involved fingerprints and palm prints – which cannot be changed unlike credit cards or social security numbers.
While the health system didn’t specify if the biometrics belonged to staff or patients, medical industries typically require fingerprinting of employees while healthcare providers are increasingly using biometrics to identify new and returning patients.
“NYCHHC did not provide an explanation for storing biometric data. Prospective NYCHHC employees are generally required to enroll their fingerprints for criminal records checks. It’s not yet known if patients’ biometrics were also taken,” Yahoo News said Monday.
Unlike paper documents which can be stored in a locked filing cabinet, minimizing counterparty risk, computer databases, online payment processors and biometric collection devices necessitate third-party hardware and software.
Biometric Update detailed how third-party systems may have played a role in this incident:
NYCHH said the intrusion may have originated through a breach at an unnamed third-party vendor. The organization did not identify the vendor in its public notice.
That detail places the incident within a broader pattern of healthcare cybersecurity risks in which hospitals and health systems may have hardened portions of their own networks but remain exposed through vendors, contractors, software providers, managed service providers, and other outside entities that hold access to internal systems or sensitive data.
Third-party access has become one of the most persistent vulnerabilities in the healthcare sector. Hospitals depend on outside vendors for billing, claims processing, scheduling, electronic health record support, staffing, analytics, remote access tools, and cybersecurity services.
When a vendor account, system, or credential is compromised, attackers may be able to move into a healthcare organization’s environment without exploiting the provider directly.
In the NYC Health and Hospitals case, the public notice says the investigation remains ongoing but indicates the unauthorized actor may have gained access because of a security breach at a third-party vendor.
The health system said once it became aware of the issue on February 2, 2026 it immediately began to investigate it, enlisting the help of outside cybersecurity professionals.
It was discovered that the data breach began around November 25, 2025, but “The timeline also raises significant questions,” Biometric Update said.
This is due to the unauthorized access continuing until February 11, 2026, “meaning the attacker was inside affected systems for roughly 11 weeks and remained present for several days after the suspicious activity was first discovered.”
The Department of Health and Human Services maintains a data breach tracker which shows how alarmingly common these incidents are.
Several other high-profile medical system breaches that have taken place recently were compiled by Biometric Update:
Erie Family Health Centers in Chicago reported a breach affecting 570,000 people after hackers accessed its network between December 2025 and late January 2026.
Florida Physician Specialists reported a breach affecting 276,000 people.
Coastal Carolina Health Care in North Carolina and Western Orthopaedics in Colorado each reported incidents affecting roughly 110,000 people.
It is highly unlikely that any level of severity or regularity of data breaches will push the medical industry back toward paper records due to the efficiency gains of digital technology.
More likely, due to biometrics being unchangeable, implantable microchips may eventually be proposed, completing the problem, reaction, solution dialectic.
The technology for human microchipping rolled out over two decades ago with the VeriChip.
“The VeriChip is injected under the skin of the upper arm or hip in an outpatient procedure. A special scanner reads the RF signal emitted by the microchip to obtain the device’s ID number, which then is entered into a database to access personal data about the individual. Other potential uses of the chip, according to company officials, include scanning unconscious patients to obtain their medical records or restricting access to high-security buildings by scanning workers to verify their clearance,” Wired Magazine said in 2003.
While the company eventually ceased operations, the proof of concept demonstrated that a future where patients are microchipped is possible, if not publicly rejected.
2 Responses
Weak credentials, staff that don’t know what phishing is, unpatched boxes most of the time with OS version that is out of support, weird thrown together custom software that looks like .NET written by some bid-locked company that just pays pennies to a Indian or asian provider on the back-end..
These data breaches are always inside jobs.