NYC Health and Hospitals Suffers Massive Data Breach Affecting 1.8 Million Individuals
New York City Health and Hospitals (NYCHH), the largest public health system in the U.S., has disclosed one of the most significant healthcare data breaches of 2026, exposing sensitive personal, medical, financial, and biometric information of at least 1.8 million individuals. The breach, detected on February 2, 2026, revealed unauthorized access to NYCHH systems between November 25, 2025, and February 11, 2026, with attackers exfiltrating files during that period.
The compromised data includes protected health information (PHI), identity documents, financial records, and biometric data, such as fingerprints and palm prints details that cannot be replaced if stolen. Affected individuals may have had Social Security numbers, driver’s license numbers, medical records, insurance details, billing information, and even precise geolocation data exposed. The breach’s scale and sensitivity make it one of the most consequential in recent years, given the irrevocable nature of biometric data.
NYCHH serves over a million New Yorkers, many of whom are uninsured or rely on public health programs like Medicaid. The organization has not identified the specific third-party vendor believed to be the initial entry point for the attack, though the incident aligns with a growing trend of healthcare breaches originating from compromised vendors. Hospitals increasingly depend on external partners for billing, electronic health records, and cybersecurity services, creating vulnerabilities when those vendors are breached.
The timeline of the attack raises concerns: despite detecting suspicious activity on February 2, the unauthorized access persisted until February 11, meaning attackers remained inside the system for 11 weeks and continued operations even after discovery. NYCHH has since implemented enhanced detection tools, credential resets, and updated remote access policies to prevent future intrusions.
This breach follows a string of major healthcare incidents in 2026, including breaches at Erie Family Health Centers (570,000 affected), Florida Physician Specialists (276,000), Coastal Carolina Health Care (110,000), and Western Orthopaedics (110,000), highlighting the persistent threat cybercriminals pose to the sector. NYCHH’s investigation remains ongoing, and the full scope of the exposure may evolve as the review of compromised files continues.
Coastal Carolina Health Care TPRM report: https://www.rankiteo.com/company/novanthealth
Western Orthopaedics TPRM report: https://www.rankiteo.com/company/northwestern-medicine
Florida Physician Specialists TPRM report: https://www.rankiteo.com/company/florida-health-agency
"id": "flonornov1779136377",
"linkid": "florida-health-agency, northwestern-medicine, novanthealth",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,800,000',
'industry': 'Healthcare',
'location': 'New York City, USA',
'name': 'New York City Health and Hospitals (NYCHH)',
'size': 'Largest public health system in the U.S.',
'type': 'Public Health System'}],
'attack_vector': 'Third-party vendor compromise',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '1,800,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Protected health information '
'(PHI)',
'Identity documents',
'Financial records',
'Biometric data',
'Social Security numbers',
'Driver’s license numbers',
'Medical records',
'Insurance details',
'Billing information',
'Geolocation data']},
'date_detected': '2026-02-02',
'description': 'New York City Health and Hospitals (NYCHH), the largest '
'public health system in the U.S., has disclosed one of the '
'most significant healthcare data breaches of 2026, exposing '
'sensitive personal, medical, financial, and biometric '
'information of at least 1.8 million individuals. The breach '
'involved unauthorized access to NYCHH systems between '
'November 25, 2025, and February 11, 2026, with attackers '
'exfiltrating files during that period. The compromised data '
'includes protected health information (PHI), identity '
'documents, financial records, and biometric data such as '
'fingerprints and palm prints.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Protected health information (PHI), identity '
'documents, financial records, biometric data '
'(fingerprints, palm prints), Social Security '
'numbers, driver’s license numbers, medical '
'records, insurance details, billing '
'information, geolocation data',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'initial_access_broker': {'entry_point': 'Third-party vendor'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Enhanced detection tools, '
'credential resets, updated '
'remote access policies',
'root_causes': 'Third-party vendor compromise, '
'prolonged unauthorized access (11 '
'weeks)'},
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA']},
'response': {'containment_measures': 'Enhanced detection tools, credential '
'resets, updated remote access policies',
'enhanced_monitoring': 'Yes'},
'title': 'NYC Health and Hospitals Suffers Massive Data Breach Affecting 1.8 '
'Million Individuals',
'type': 'Data Breach'}