NYC Health + Hospitals Data Breach 2026:
What You Need to Know
America's largest public healthcare system disclosed on 18 May 2026 that hackers stole personal, medical, and biometric data including fingerprints and palm-print scans of at least 1.8 million patients and workforce members. The attackers had access to the network for approximately 2.5 months before detection. Here is what happened, what data was leaked, and steps you can take to respond.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the NYC Health + Hospitals Breach Unfolded
25 November 2025
An unauthorised actor gains access to NYC Health + Hospitals' network through a compromised third-party vendor. The breach goes undetected for approximately 2.5 months while the attacker copies files from internal systems.
2 February 2026
NYC Health + Hospitals detects the intrusion and immediately secures its network. The HHS Office for Civil Rights is notified.
24 March 2026
NYCHHC files an official notification with the US Department of Health and Human Services, initially scoping the incident at approximately 1.8 million affected individuals.
18 May 2026
NYC Health + Hospitals publicly discloses the breach, confirming exposure of medical records, biometric data (fingerprints and palm prints), Social Security numbers, passports, driver's licences, and precise geolocation data. Affected individuals are offered 24 months of complimentary credit monitoring and identity theft protection. Class action lawsuits are filed.
Sources: TechCrunch (18 May 2026), HIPAA Journal
What Was Exposed
Personal Data Leaked in the Breach
The breach exposed an unusually broad spread of sensitive data, from standard identity fields all the way to biometric scans. Biometric data is particularly significant: unlike a password or identity-document number, fingerprints and palm prints cannot be revoked or reissued if compromised.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | All 1.8 million affected |
| Email address | High | Most affected (where on file) |
| Phone number | High | Most affected |
| Home address | High | Most affected |
| Date of birth | High | All affected |
| Social Security number | High | Subset of affected (patients with SSN on file) |
| Passport number | High | Subset (international patients, workforce) |
| Driver's licence number | High | Subset |
| Medical records (diagnoses, medications, tests) | High | All patient records in scope |
| Health insurance details | High | All insured patients |
| Fingerprint scans | High | Subset (workforce + select patients with biometric ID) |
| Palm print scans | High | Subset (workforce + select patients) |
| Precise geolocation data | High | Where on file |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Health information, biometric information (including fingerprints and palm prints), and genetic information are classified as 'sensitive information' under Privacy Act 1988 (Cth) s 6(1) and warrant the highest level of protection. Biometric data is particularly significant because, unlike a password or identity document number, biometric identifiers cannot be revoked or reissued if compromised.
✅ Confirmed NOT Exposed
Workforce-member payroll bank accounts and patient-portal passwords were not in the scope of the breach per NYC Health + Hospitals' disclosure. The compromise originated from a third-party vendor, not NYCHHC's primary electronic-health-record system.
Company Response
What NYC Health + Hospitals Did
“We are committed to providing affected individuals with the support and resources they need to protect their information. NYC Health + Hospitals is offering 24 months of complimentary credit monitoring and identity theft protection services to all impacted patients and workforce members.”
Actions Taken by NYC Health + Hospitals
- Detected and contained the intrusion on 2 February 2026
- Engaged external cyber-forensics specialists
- Filed notifications with the US HHS Office for Civil Rights
- Notified affected individuals starting 18 May 2026
- Offered 24 months of complimentary credit monitoring and identity theft protection
- Strengthened third-party vendor access controls
- Reviewing entire third-party data-handling chain
What Now?
Steps You Can Take After the NYC Health + Hospitals Breach
The combination of medical records biometric data Social Security number and passport data makes this one of the broadest healthcare breaches on record. Here are general best-practice steps, organised by the kind of risk most likely to apply.
Medical Identity Protection
Medical records were exposed at scale. Watch for medical identity fraud.
Request a copy of your medical records
~30 minAlert your other healthcare providers
Monitor your Medicare, Medicaid, or insurance statements
If Your Biometric Data Was Exposed
Biometric identifiers cannot be revoked. This requires a different mindset to a password leak.
Document that your fingerprints are compromised
Raise the exposure with any organisation using biometric ID
Consider alternative authentication where offered
Identity Protection (Government IDs)
SSN, passport, and driver's licence numbers were exposed for a subset of affected individuals.
Freeze your credit (US residents)
~20 minReport SSN exposure to the FTC
Replace exposed passports
AU readers: contact IDCare for cross-jurisdictional guidance
Monitoring and Reporting
Make use of the offered protection and report suspicious activity promptly.
Claim the 24 months of complimentary credit monitoring
Stay alert for targeted phishing
Report suspicious activity
Not sure which of your accounts are affected?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The NYC Health + Hospitals breach did not happen in isolation. If your data also appeared in other major healthcare breaches, the combination of leaked information can build a more complete clinical and identity profile.
How breach data compounds
On its own, the NYC Health + Hospitals breach exposed medical records, biometric scans, and government identifiers. If your data also appeared in other healthcare breaches (Medibank, Genea, Erie Family Health), the combined data set may include Medicare numbers, fertility records, payment cards, and now biometric identifiers that cannot be revoked.
- Medibank (2022)9.7M records: health claims and Medicare details
- Genea (2025)fertility clinic: clinical notes and treatment records
- Erie Family Health (2025-2026)570K records: SSN, biometric, medical, payment cards
- NYC Health + Hospitals (2026)1.8M records: biometric + SSN + medical + passport
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Frequently Asked Questions
NYC Health + Hospitals Breach FAQ
Sources
- TechCrunch: "NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people"
- TechRadar: "NYC Health + Hospitals says mega data breach allowed hackers to steal personal data, medical records, and fingerprints scans of around 1.8 million people"
- HIPAA Journal: "Up to 1.8 Million Individuals Affected by NYC Health + Hospitals Data Breach"
- Malwarebytes: "Biometrics, diagnoses, and bank details exposed in major healthcare breach"
- The Next Web: "NYC Health and Hospitals breach exposes medical records, fingerprints, and geolocation data of 1.8 million people"
- NYC Health + Hospitals: Official Notice of Data Breach
- US HHS Office for Civil Rights breach reporting
- OAIC: Notifiable Data Breaches scheme
- OAIC: What is personal information? (Privacy Act 1988 categories)
- OAIC: Australian Privacy Principles
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with NYC Health + Hospitals or NYC Health + Hospitals Corporation. This guide is provided for information purposes only and reflects publicly reported facts about the breach. If you believe your data was affected, contact NYC Health + Hospitals directly using the contact information on their official website.