NYC Health and Hospitals says hackers stole medical information and fingerprints in a breach that affected at least 1.8 million people.

A health care provider at New York NYC Health and Hospitals says data breach over many months which allows hackers to steal personal information, medical records, and fingerprint scans affects at least 1.8 million people.

NYCHHC is the largest health system in the United States and provides health care to over a million New Yorkersmany of them are uninsured or receive government health care, such as Medicaid.

The health system reported the number to the US Department of Health and Human Services, making it one of the largest healthcare-related breaches this year so far. Healthcare organizations have been repeatedly targeted by financial-focused cyber criminals in recent years in attempts to steal large amounts of their bank accounts that contain sensitive patient, clinical, and billing information.

In a data breach notice on its website, NYCHHC noted that on February 2, 2019, its network was compromised. Hackers had access to its network from November 2025 to February 2026, when hackers copied files from its systems.

The health system said the fraudsters were broke because of a breach by an unnamed supplier.

NYCHHC said that the information disclosed varies from person to person, and includes the patient’s health insurance policy and policies, medical information (such as diagnoses, medications, tests, and images), payments, claims, and fees. Other government-issued IDs, such as Social Security numbers, passports, and driver’s licenses, were also tampered with.

The breach notification also claims that “specific geolocation data” was taken in the breach, meaning that photos uploaded by users may also contain the exact location where the document was taken.

The breach is particularly difficult because the attackers stole biometric information, including fingerprints and fingerprints, that victims have had for their entire lives and cannot change. NYCHHC did not provide an explanation for the retention of biometric data. Potential NYCHHC employees are often required to register their fingerprints for criminal background checks. It is not yet clear whether the patients’ biometrics were also taken.

The NYCHHC website was briefly offline as of Monday morning. A spokesperson for the NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to discover the breach, and whether it had received any communication from hackers, such as demanding payment.

It is not known if NYCHHC could receive the email during the time the website was down.

The incident appears to be unrelated to a data breach at the National Association on Drug Abuse Problems (NADAP). earlier this yearin which more than 5,000 NYCHHC patients had their information taken in a cyberattack.

In recent FBI annual cybercrime report Covering 2025, healthcare has remained the target of hackers – criminals who break into databases, steal data stored while searching the victim’s servers, and threaten to publish the stolen data if the victim does not pay the hackers. Ransomware attack on health care giant UnitedHealth Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans.which is believed to be the largest theft of US medical data in history.