Hospital corridor with medical equipment and fluorescent lighting

TL;DR: NYC Health + Hospitals, the nation's largest public healthcare system, got hacked. An attacker roamed their network from November 25, 2025 to February 11, 2026. That's 11 weeks of undetected access. Over 1 million patients have their Social Security numbers, fingerprints, medical records, and financial data in criminal hands. The breach came through a third-party vendor that NYC H+H won't name. They're offering two years of credit monitoring. Good luck: your biometric data can't be frozen like a credit report.

What Happened

On February 2, 2026, NYC Health + Hospitals discovered unauthorized activity in their systems. Investigation revealed the breach started November 25, 2025, meaning hackers had 11 weeks inside the network before anyone noticed.[1]

NYC H+H isn't some small clinic. It's the largest municipal health system in America. 45,000 employees. 70+ patient care locations across all five boroughs. Over 1 million patients served annually. Nearly 400,000 uninsured patients who have nowhere else to go.[2]

All of those patients' records were accessible for nearly three months.

The breach notification went out March 26, 2026, almost two months after discovery. Two months where your stolen data was circulating while you had no idea.

What They Took

This isn't just names and emails. According to NYC H+H's official disclosure, compromised data includes:[1][3]

  • Social Security numbers: The keys to your identity
  • Biometric data (fingerprints, palm prints): You can't change these. Ever.
  • Medical records: Diagnoses, medications, test results, treatment plans
  • Health insurance details: Plan info, member IDs, government payor numbers
  • Financial account credentials: Including online banking login info
  • Driver's license and tax ID numbers: More identity theft fuel
  • Geolocation data: Where you've been
  • Billing and payment information: Credit card and bank details

The biometric data is the nightmare scenario. You can freeze your credit. You can change passwords. You can't change your fingerprints. Once that data is stolen, it's compromised for life.

The Third-Party Problem

NYC H+H says the attacker "may have gained access" through a breach at a third-party vendor.[1] They won't say which vendor.

This is healthcare's dirty secret. Hospitals share your data with dozens of vendors: billing companies, lab services, IT contractors, electronic health record providers. Each one is a potential entry point. Each one can expose your entire medical history.

NYC H+H isn't alone. This week's breach joins a pattern:

  • TrìZetto/Cognizant: 3.4 million patients' data stolen through a claims processing vendor
  • Conduent: 26 million Americans' Medicaid data exposed via a government contractor
  • AltaMed: 1.2 million patients compromised through third-party access

You trusted your hospital. Your hospital trusted a vendor. The vendor got hacked. Your data is gone.

Who's Affected

According to NYC H+H's notice, you may be impacted if you were:[1]

A Patient Since 2020

Anyone who received care at an NYC Health + Hospitals facility since 2020 should assume their data was accessible.

An Employee

Workforce members, past and present, had personnel records in the compromised systems.

An Uninsured Patient

NYC H+H serves 400,000 uninsured patients annually. These are the most vulnerable New Yorkers, now exposed to identity theft.

The affected population: over 1 million patients.[4] In a city of 8 million, that's roughly one in eight New Yorkers.

What NYC H+H Is Doing (And Not Doing)

The official response includes:[1]

  • "Deployed additional detection and protective technologies"
  • Reset credentials for compromised accounts
  • Implemented enhanced detection rules
  • Updated remote access management policies
  • 24 months of free identity monitoring through Kroll

What they're not doing: naming the third-party vendor, explaining how 11 weeks of intrusion went undetected, or addressing the biometric data problem.

Identity monitoring won't help you if someone uses your stolen fingerprints. There's no "biometric freeze" service. Once your fingerprints are in criminal databases, they're there permanently.

What You Can Do

Freeze Your Credit Now

Your SSN is stolen. Freeze all three bureaus immediately: Equifax, Experian, TransUnion. It's free and stops new accounts from being opened.

Enroll in the Free Monitoring

Call (844) 403-4518 or visit nychealth-hospitalsincident.kroll.com. Available Monday-Friday, 9am-6:30pm ET. The hotline stays open for 90 days starting March 24.

Watch for Medical Identity Theft

Request your medical records from NYC H+H. Check for treatments you didn't receive. Someone could be billing insurance under your name.

Monitor Financial Accounts Closely

Financial credentials were stolen. Check bank and credit card statements daily. Set up transaction alerts. Report unauthorized activity immediately.

Change Passwords Everywhere

Online account credentials were compromised. If you reuse passwords (you shouldn't), change them all. Enable two-factor authentication.

File an IRS Identity Protection PIN

Your SSN and tax ID were stolen. File for an IP PIN at irs.gov/identity-theft to prevent tax refund fraud.

Healthcare's Broken Security Model

NYC Health + Hospitals serves the people other hospitals don't want. The uninsured. The undocumented. Low-income New Yorkers with nowhere else to go. Over $1.1 billion in uncompensated care annually.[2]

These are exactly the people least equipped to deal with identity theft. And now their SSNs, fingerprints, and medical histories are in criminal hands because a vendor somewhere had inadequate security.

The healthcare sector continues to lead in data breaches. Why? Valuable data, tight budgets, complex vendor networks, and legacy systems. Your medical record is worth more than your credit card on the dark web: it has everything needed for identity theft and insurance fraud.

NYC H+H will enhance security measures. They always do, after the breach. The question is why 11 weeks of network intrusion went unnoticed in the first place.

References

  1. NYC Health + Hospitals - Official Notice of Data Breach (March 2026)
  2. NYC Health + Hospitals - About (Organization Size and Patient Demographics)
  3. HIPAA Journal - NYC Health + Hospitals Discloses 11-week Network Compromise (March 2026)
  4. NYC Today - NYC Health Hospitals Hit by Data Breach (March 28, 2026)