TL;DR: NYC Health + Hospitals, the nation's largest public healthcare system, got hacked. An attacker roamed their network from November 25, 2025 to February 11, 2026. That's 11 weeks of undetected access. Over 1 million patients have their Social Security numbers, fingerprints, medical records, and financial data in criminal hands. The breach came through a third-party vendor that NYC H+H won't name. They're offering two years of credit monitoring. Good luck: your biometric data can't be frozen like a credit report.
What Happened
On February 2, 2026, NYC Health + Hospitals discovered unauthorized activity in their systems. Investigation revealed the breach started November 25, 2025, meaning hackers had 11 weeks inside the network before anyone noticed.[1]
NYC H+H isn't some small clinic. It's the largest municipal health system in America. 45,000 employees. 70+ patient care locations across all five boroughs. Over 1 million patients served annually. Nearly 400,000 uninsured patients who have nowhere else to go.[2]
All of those patients' records were accessible for nearly three months.
The breach notification went out March 26, 2026, almost two months after discovery. Two months where your stolen data was circulating while you had no idea.
What They Took
This isn't just names and emails. According to NYC H+H's official disclosure, compromised data includes:[1][3]
- Social Security numbers: The keys to your identity
- Biometric data (fingerprints, palm prints): You can't change these. Ever.
- Medical records: Diagnoses, medications, test results, treatment plans
- Health insurance details: Plan info, member IDs, government payor numbers
- Financial account credentials: Including online banking login info
- Driver's license and tax ID numbers: More identity theft fuel
- Geolocation data: Where you've been
- Billing and payment information: Credit card and bank details
The biometric data is the nightmare scenario. You can freeze your credit. You can change passwords. You can't change your fingerprints. Once that data is stolen, it's compromised for life.
The Third-Party Problem
NYC H+H says the attacker "may have gained access" through a breach at a third-party vendor.[1] They won't say which vendor.
This is healthcare's dirty secret. Hospitals share your data with dozens of vendors: billing companies, lab services, IT contractors, electronic health record providers. Each one is a potential entry point. Each one can expose your entire medical history.
NYC H+H isn't alone. This week's breach joins a pattern:
- TrìZetto/Cognizant: 3.4 million patients' data stolen through a claims processing vendor
- Conduent: 26 million Americans' Medicaid data exposed via a government contractor
- AltaMed: 1.2 million patients compromised through third-party access
You trusted your hospital. Your hospital trusted a vendor. The vendor got hacked. Your data is gone.
Who's Affected
According to NYC H+H's notice, you may be impacted if you were:[1]
A Patient Since 2020
Anyone who received care at an NYC Health + Hospitals facility since 2020 should assume their data was accessible.
An Employee
Workforce members, past and present, had personnel records in the compromised systems.
An Uninsured Patient
NYC H+H serves 400,000 uninsured patients annually. These are the most vulnerable New Yorkers, now exposed to identity theft.
The affected population: over 1 million patients.[4] In a city of 8 million, that's roughly one in eight New Yorkers.
What NYC H+H Is Doing (And Not Doing)
The official response includes:[1]
- "Deployed additional detection and protective technologies"
- Reset credentials for compromised accounts
- Implemented enhanced detection rules
- Updated remote access management policies
- 24 months of free identity monitoring through Kroll
What they're not doing: naming the third-party vendor, explaining how 11 weeks of intrusion went undetected, or addressing the biometric data problem.
Identity monitoring won't help you if someone uses your stolen fingerprints. There's no "biometric freeze" service. Once your fingerprints are in criminal databases, they're there permanently.
What You Can Do
Freeze Your Credit Now
Your SSN is stolen. Freeze all three bureaus immediately: Equifax, Experian, TransUnion. It's free and stops new accounts from being opened.
Enroll in the Free Monitoring
Call (844) 403-4518 or visit nychealth-hospitalsincident.kroll.com. Available Monday-Friday, 9am-6:30pm ET. The hotline stays open for 90 days starting March 24.
Watch for Medical Identity Theft
Request your medical records from NYC H+H. Check for treatments you didn't receive. Someone could be billing insurance under your name.
Monitor Financial Accounts Closely
Financial credentials were stolen. Check bank and credit card statements daily. Set up transaction alerts. Report unauthorized activity immediately.
Change Passwords Everywhere
Online account credentials were compromised. If you reuse passwords (you shouldn't), change them all. Enable two-factor authentication.
File an IRS Identity Protection PIN
Your SSN and tax ID were stolen. File for an IP PIN at irs.gov/identity-theft to prevent tax refund fraud.
Lawsuits Are Coming
Class action attorneys are already circling. Edelson Lechtzin LLP announced it's investigating potential claims against NYC Health + Hospitals.[4]
The legal theory: NYC H+H had a duty to protect patient data. An 11-week undetected breach suggests they failed. The biometric data exposure adds another layer. New York has no comprehensive biometric privacy law, but that may not protect NYC H+H from negligence claims.
If you received a breach notification, keep it. Document when you were notified. Note the gap between when the breach started (November 2025), when they discovered it (February 2026), and when they told you (March 2026). That timeline matters.
Healthcare's Broken Security Model
NYC Health + Hospitals serves the people other hospitals don't want. The uninsured. The undocumented. Low-income New Yorkers with nowhere else to go. Over $1.1 billion in uncompensated care annually.[2]
These are exactly the people least equipped to deal with identity theft. And now their SSNs, fingerprints, and medical histories are in criminal hands because a vendor somewhere had inadequate security.
The healthcare sector continues to lead in data breaches. Why? Valuable data, tight budgets, complex vendor networks, and legacy systems. Your medical record is worth more than your credit card on the dark web: it has everything needed for identity theft and insurance fraud.
NYC H+H will enhance security measures. They always do, after the breach. The question is why 11 weeks of network intrusion went unnoticed in the first place.
References
- NYC Health + Hospitals - Official Notice of Data Breach (March 2026)
- NYC Health + Hospitals - About (Organization Size and Patient Demographics)
- HIPAA Journal - NYC Health + Hospitals Discloses 11-week Network Compromise (March 2026)
- NYC Today - NYC Health Hospitals Hit by Data Breach (March 28, 2026)