NYC Health + Hospitals Data Breach: 1.8 Million Records Compromised in One of 2026’s Worst Healthcare Cyberattacks

New York City Health + Hospitals (NYCHHC), the largest public healthcare network in the United States, has disclosed a major data breach that affected approximately 1.8 million patients and employees. The incident is now being viewed as one of the most significant healthcare cyberattacks reported in 2026.
According to the organization’s investigation, the attackers first gained access to the network around November 25, 2025, through a compromised third-party vendor. The intrusion remained undetected for more than two months, giving the threat actors ample time to move through internal systems and collect sensitive information.
The suspicious activity was finally discovered on February 2, 2026, prompting an immediate response from the hospital network and external cybersecurity specialists. However, investigators later determined that the attackers continued to maintain access until February 11, extending the breach even after initial containment efforts had begun.
The stolen information includes medical records, prescription details, laboratory results, insurance information, Social Security numbers, government-issued identification documents, financial account data, login credentials, and location-related information. Particularly concerning is the theft of biometric data, including fingerprints and palm prints. Unlike passwords or credit card numbers, biometric information cannot simply be changed once exposed, creating long-term security and privacy risks for affected individuals.
The breach has raised concerns because many of the impacted patients come from low-income communities that rely on Medicaid and other public healthcare programs. Security experts warn that these individuals could face increased risks of identity theft, financial fraud, and targeted phishing attacks for years to come. Investigators believe the attack originated through a trusted third-party supplier, highlighting a growing trend in the healthcare sector. Rather than attacking well-protected hospital networks directly, cybercriminals are increasingly targeting vendors with privileged access, using them as an entry point into larger organizations.
NYCHHC formally reported the incident to the U.S. Department of Health and Human Services on March 24, 2026, and has offered affected individuals two years of complimentary credit monitoring services. The organization also continues to work with cybersecurity experts and regulators as the investigation remains ongoing.
This incident serves as another reminder that cybersecurity risks do not stop at an organization’s perimeter. In today’s interconnected environment, third-party vendors can become the weakest link in the security chain. As healthcare organizations continue to expand their digital ecosystems, strengthening vendor risk management programs will be essential to preventing similar breaches in the future.