— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Data · United States · Breaches

The largest U.S. public hospital network loses records and fingerprints of 1.8 million people: what cannot be reissued

NYC Health + Hospitals disclosed on 18 May a breach that, through an outside vendor, exposed medical, financial, identity and biometric data — fingerprints and palm prints — of at least 1.8 million patients and employees. The attacker spent about eleven weeks inside the network. A password can be changed; a fingerprint cannot.

By Natacha Prieto W. Correspondent — United States 9 min read
NYC Health + Hospitals data breach biometrics fingerprints medical records third-party risk HHS United States cybersecurity Medicaid
Data · United States · Breaches Eleven weeksinside a hospital'snetwork Timeline of the NYC Health + Hospitals breach, per its own notice 25 Nov 2025 Unauthorized access begins, through an outside vendor 2 Feb 2026 The system detects suspicious activity 11 Feb 2026 Attacker's access ends (about eleven weeks) 18 May 2026 Public notice: at least 1.8 million affected Dates from NYC Health + Hospitals' breach notice and its 24 March 2026 report to the Department of Health (HHS), per TechCrunch and the notice itself. DIÁLOGO CIUDADANO

The breach

Some data expires and some does not, and this breach mixes the two. NYC Health + Hospitals, the largest public hospital network in the United States, disclosed on 18 May 2026 an intrusion that, according to its own notice, exposed personal, medical, financial and biometric information of at least 1.8 million current and former patients and employees. The system detected suspicious activity on 2 February 2026, and its investigation determined that an unauthorized actor had accessed part of the network between roughly 25 November 2025 and 11 February 2026, copying files during that window. The breach was reported to the federal Department of Health on 24 March, and its portal records the 1.8 million figure, one of the largest in the health sector so far in 2026.

What they took

The inventory is long and uneven by person. According to the notice, the compromised data includes medical records — diagnoses, medications, tests and imaging — insurance information, billing and payment data, Social Security numbers, passports and driver’s licenses, bank account details, login credentials and precise geolocation. The element that sets this breach apart from so many others is biometrics: the attacker took fingerprints and palm prints.

What cannot be reissued

Here is the crux, and specialists agree in pointing to it. As Ross Filipek, head of security at Corsica Technologies, put it, what is alarming is not only the number of those affected, but that the medical, financial and, above all, fingerprint data create a long-term problem because, unlike a password, biometrics cannot be reset after exposure. A card is reissued, a Social Security number is flagged for monitoring, a password is changed; a fingerprint accompanies the person for life.

The precedent is not hypothetical. In 2015, the breach of the U.S. government’s Office of Personnel Management exposed 5.6 million fingerprint records of federal employees and contractors; they were offered credit monitoring and, more than a decade later, no further remedy was added. Analysts noted that the NYC Health + Hospitals fingerprints were probably collected during employee onboarding, where staff usually enroll their prints for background checks.

The hospital’s own defenses are not where the system failed. NYC Health + Hospitals attributed the intrusion to a breach at an unnamed third-party vendor that had access to its systems. As Chris Debrunner, of CBTS, explained, healthcare organizations are “interconnected by design,” so third-party risk cannot be treated as an annual compliance checkbox. The pattern is familiar: according to a Paubox report, exposure through vendors and business associates accounted for 28 percent of email-related healthcare breaches in 2025. The hospital’s perimeter did not give way; the trusted relationship with someone who already held a key did.

Who is affected, and what is offered

The social detail is not minor. NYC Health + Hospitals operates more than seventy care sites across the city’s five boroughs, serves more than a million patients a year and employs about 45,000 professionals, and its population is largely low-income and on public coverage. The system offered those affected twenty-four months of free credit monitoring, retroactive to anyone who interacted with the network since 2020, and said it received no instructions from law enforcement to delay notifications.

What remains unanswered

The honest close to this story is a question, not a solution. Credit monitoring addresses financial fraud, which is reversible; it does not address biometric exposure, which is not. The question the case returns to employers and governments is the one the 2015 breach left unanswered: when an institution requires a fingerprint and then loses it, what is owed to the person whose physical identity was compromised for good? Until that question has an answer, every biometric database will remain a liability the institution can eventually shed, and the citizen never can.

← More analysis Home