NYC Health + Hospitals -- the largest public healthcare system in the United States -- disclosed a data breach affecting approximately 1.8 million individuals. The breach, which went undetected for more than two months, exposed some of the most sensitive categories of personal data imaginable: medical records, biometric data, government-issued identification numbers, and precise geolocation information. If you have ever been a patient at an NYC Health + Hospitals facility, here is what happened, why this breach is exceptionally dangerous, and the steps you must take immediately to protect yourself.
What Happened: The NYC Health + Hospitals Breach
NYC Health + Hospitals detected unauthorized activity in its systems on February 2, 2026. However, the subsequent investigation revealed that the attacker first gained access on November 25, 2025 -- meaning the intruder had been inside the network for more than two months before being discovered. The unauthorized access continued until February 11, 2026, when it was finally contained.
During this extended period of access, the attacker exfiltrated vast amounts of patient and employee data. The breach was reported to the U.S. Department of Health and Human Services (HHS) on March 24, 2026, as required by federal law. Investigators believe the attacker likely gained initial access through a third-party vendor breach, exploiting a trusted connection to penetrate the hospital system's network.
Approximately 1.8 million individuals were affected -- a staggering number that includes current and former patients across NYC Health + Hospitals' 11 acute care hospitals, five post-acute care facilities, and more than 70 community-based health centers throughout New York City.
Biometric Data Was Stolen -- And It Cannot Be Changed
Among the data compromised in this breach is biometric information, including fingerprints and palm prints. Unlike a password or even a Social Security number, biometric data is permanent. You cannot change your fingerprints. Once this data is in criminal hands, it remains a vulnerability for life. This makes the NYC Health + Hospitals breach one of the most consequential healthcare breaches in recent years, with implications that extend far beyond typical identity theft.
What Data Was Exposed
The scope of exposed data in this breach is extraordinary. The following categories of information were compromised:
Medical Records
- Diagnoses and medical conditions
- Medications and prescriptions
- Test results and lab work
- Medical imagery (X-rays, MRIs, and other diagnostic images)
Health Insurance Information
- Insurance plan details
- Billing and claims data
- Payment information
Government-Issued Identification
- Social Security numbers
- Driver's license numbers
- Other government ID numbers
Biometric Data
- Fingerprints
- Palm prints
Location and Personal Details
- Precise geolocation data extracted from uploaded photos and documents
- Names, addresses, and contact information
This combination of data is a worst-case scenario for affected individuals. Medical records, biometric data, government IDs, and precise location information together create an extraordinarily comprehensive identity profile that can be exploited in ways far beyond conventional financial fraud.
Why This Breach Is Especially Dangerous
Medical Identity Theft
When criminals have your medical records and insurance information, they can receive medical care, fill prescriptions, and submit insurance claims in your name. This is known as medical identity theft, and it is one of the most difficult forms of fraud to detect and resolve. Fraudulent medical records can become mixed with your legitimate health history, potentially leading to dangerous misdiagnoses, incorrect medications, or denial of care based on conditions you do not actually have.
Permanent Biometric Compromise
Biometric data like fingerprints is increasingly used for authentication -- from unlocking smartphones to verifying identity at government offices and airports. Once stolen, biometric data can be used to bypass security systems indefinitely. Unlike a password, you cannot reset your fingerprints. If your biometric data was exposed in this breach, any system that relies on your fingerprints for authentication is permanently less secure.
Geolocation Tracking
The exposure of precise geolocation data from uploaded photos and documents means criminals potentially know where you live, work, or regularly visit. This data can be used for stalking, burglary, or to craft highly targeted social engineering attacks that reference real locations you frequent.
Immediate Steps to Take Right Now
1. Enroll in the Free Identity Monitoring
NYC Health + Hospitals is offering 24 months of free identity monitoring through Kroll. If you received a breach notification letter, it should include enrollment instructions and a unique activation code. Enroll immediately. This service monitors your credit file, public records, and other sources for signs that your identity is being misused. Even if you are not sure whether your data was affected, enroll if you are eligible -- it is free and provides an important safety net.
2. Freeze Your Credit at All Three Bureaus
With Social Security numbers and government IDs exposed, freezing your credit is essential -- not optional. A credit freeze prevents anyone from opening new accounts in your name. Place a freeze at all three bureaus for free:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze/
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/credit-freeze
3. Request Your Medical Records
Contact NYC Health + Hospitals and request a copy of your complete medical records. Review them carefully for any treatments, prescriptions, or diagnoses that you do not recognize. If you find discrepancies, report them immediately to the healthcare provider and request corrections. Inaccurate medical records are not just a privacy concern -- they can be a safety hazard if they lead to incorrect treatment decisions.
4. Monitor Your Insurance Statements
Review all Explanation of Benefits (EOB) statements from your health insurance provider. Look for claims for services you did not receive, providers you did not visit, or medications you were not prescribed. Report any suspicious claims to your insurance company immediately. Request that your insurer flag your account for potential fraud.
5. Request an IRS Identity Protection PIN
With Social Security numbers exposed, tax fraud is a significant risk. Apply for an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. This six-digit number is required when filing your tax return and prevents criminals from filing fraudulent returns using your Social Security number.
6. Place a Fraud Alert on Your Credit File
Contact one of the three credit bureaus to place an initial fraud alert, which will automatically be applied to the other two. This requires creditors to verify your identity before opening new accounts, adding another layer of protection alongside your credit freeze.
File a Complaint With HHS
As a healthcare breach, this incident falls under HIPAA jurisdiction. You have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your protected health information was improperly disclosed. Visit hhs.gov/hipaa/filing-a-complaint to submit your complaint. You can also file a complaint with the New York State Attorney General's office at ag.ny.gov.
Long-Term Protection After the NYC Health + Hospitals Breach
Monitor for Medical Identity Theft Ongoing
Medical identity theft can take months or years to surface. Continue reviewing EOB statements, medical bills, and your medical records regularly -- not just in the weeks immediately following the breach. Request your medical records annually to check for unauthorized entries.
Secure Your Biometric Data Where Possible
While you cannot change your fingerprints, you can take steps to limit further exposure. Review which devices and services use your biometric data for authentication. Where possible, switch to alternative authentication methods such as strong passwords with two-factor authentication. Be cautious about providing biometric data to new services going forward.
File Your Tax Returns Early
With your Social Security number compromised, file your federal and state tax returns as early as possible each year. If a criminal files a fraudulent return using your SSN before you file, it can take months to resolve. Filing early prevents this form of fraud.
Review Your Credit Reports Regularly
Check your credit reports at AnnualCreditReport.com at least quarterly. Look for accounts you did not open, addresses where you have never lived, and inquiries you did not authorize. The free monitoring through Kroll will help, but manual review catches things automated systems sometimes miss.
How PrivacyOn Helps Protect You After the NYC Health + Hospitals Breach
When a breach exposes your medical records, biometric data, and government IDs, the last thing you need is for additional personal information to be easily accessible on data broker websites. Data brokers sell your name, home address, phone number, email address, family relationships, and more to anyone willing to pay. Criminals can use this data broker information to fill in gaps, verify stolen identities, and commit more sophisticated fraud.
PrivacyOn removes your personal information from over 100 data broker sites, reducing the publicly available data that criminals can use alongside your stolen records. With 24/7 continuous monitoring, PrivacyOn detects when brokers re-list your information and removes it again automatically. Dark web monitoring alerts you if your personal data or credentials surface in underground forums and marketplaces -- giving you early warning to take action. Family plans cover up to 5 people, so you can protect your entire household. Plans start at just $8.33 per month.
A breach of this magnitude -- involving permanent biometric data and deeply personal medical records -- demands comprehensive, ongoing protection. PrivacyOn provides that critical layer by ensuring that the personal information still within your control does not remain exposed for criminals to exploit.