All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
For nearly three months, hackers roamed undetected inside the largest public hospital system in the U.S. By the time the intrusion was discovered, the thieves had walked away with a haul that can never be changed or reset: the finger and palm prints of patients.
NYC Health + Hospitals (NYC H+H) disclosed this week that hackers accessed sensitive patient and employee data through a third-party vendor between November 25, 2025, and February 11, 2026, affecting at least 1.8 million people.[1] The system serves more than a million patients across 70 locations in New York City's five boroughs.[2]
The breach exposed medical records, Social Security numbers, financial details, and biometric identifiers. Unlike a password or a credit card number, your fingerprints can’t be canceled or reissued.
Here's what happened, why this breach is different from most, and what to do if you may be affected.
The data stolen during the nearly 11-week compromise varies by individual but includes:
NYC Health + Hospitals said anyone who was a patient or employee between 2020 and February 2, 2026, could be affected, a window spanning more than five years.
Medical records are among the most valuable targets in cybercrime because they consolidate personal, financial, and insurance details in a single file. Unlike a stolen credit card, which can be quickly canceled, medical histories and biometric identifiers can’t be replaced once exposed.
The breach was first detected on February 2, 2026, and officially reported to the U.S. Department of Health and Human Services on March 24, according to HIPAA Journal. The third-party vendor involved has not been publicly identified.
The fingerprint data is what makes this breach particularly concerning.
Passwords can be changed, and cards can be replaced. Even compromised Social Security numbers can sometimes be flagged by fraud monitoring systems. But you can't just change your fingers.
"The biggest issue with biometric data is that it cannot really be reset," said Ross Filipek, CISO of Corsica Technologies. "If a fingerprint is stolen, that identifier is tied to a person permanently."
More than most people realize. Stolen fingerprint data can be used to:
The sheer length of the breach is also alarming. Hackers maintained access for nearly three months before detection, giving them ample time to search, copy, and potentially distribute sensitive records.
This breach fits a pattern that's been building. Recent AAC coverage has documented similar incidents — a breach involving Canvas student data and the Palantir/NHS patient data controversy — reflecting how third-party vendor access to sensitive institutional data remains one of the most exploitable gaps in cybersecurity.
According to a survey by All About Cookies, 50% of Americans say they feel desensitized to data breach alerts. Even as 60% say they're specifically concerned about their medical history being exposed, which is precisely what's at risk here.
The downstream financial stakes are significant, too. AAC research found that 14% of Americans have personally experienced identity theft, with the average victim losing $3,312.66. Data breaches are the leading cause of online identity theft, accounting for 38% of cases.
If you were a patient or employee at any NYC Health + Hospitals location between 2020 and early February 2026, treat yourself as potentially affected — even before a notification letter arrives. Research shows that only 46% of breach victims ever check whether their data was included. Here's where to start:
NYC H+H is doing the right things post-breach: being transparent about the scope of the incident, notifying affected individuals, and offering two years of free credit monitoring. That matters.
But the biometric data is the part that can't be undone. Your fingerprints are a permanent identifier, and once they're in the wrong hands, the exposure doesn't expire. Ongoing monitoring isn't optional after a breach like this — it's the most practical tool available for catching misuse before it compounds.
If you've ever been a patient at an NYC public hospital, now is the time to review your identity theft protection and data removal service options.
You can't change what was taken. But knowing how to tell if someone has stolen your identity and catching it early makes all the difference.
ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription
/images/2023/12/05/aura-vs.-lifelock.png)
/images/2023/06/01/incogni-review.png)
/images/2026/05/22/aerial_panoramic_helicopter_city_view_on_lower_manhattan_district_and__pezbO1O.jpg)
/images/2026/05/20/professional_psychologist_using_tablet_during_therapy_session_with_pat_BdMpQBJ.jpg)
/images/2026/05/14/red_netflix_logo.jpg){kind=logo}
/images/2026/05/13/national_health_service_logo_on_blue_background.jpg){kind=logo}
/images/2026/05/12/hacker_in_data_security_concept._hacker_using_laptop._hacking_the_inte_q9rPpHH.jpg)
/images/2026/05/08/new-utah-age-verification-law-header.png)
/authors/thomas-kent-headshot-cropped.png){kind=small}
/authors/kate-quinlan-new.jpg){kind=small}
/images/2023/05/25/logo-aura.png){kind=logo}
