NYC Health and Hospitals confirmed that hackers accessed personal and medical data from at least 1.8 million people during a significant security breach. The attack also compromised biometric information, including fingerprints, marking one of 2026's largest healthcare data breaches.
The New York public healthcare system disclosed the breach this week, revealing the scope of unauthorized access to its patient database. Compromised data includes names, addresses, Social Security numbers, and medical records spanning the system's patient population.
Biometric information stolen in the attack presents heightened security concerns. Fingerprint data, unlike passwords, cannot be easily changed if compromised. The theft of such data could expose patients to identity theft, fraud, and unauthorized access to secure facilities or systems that use fingerprint authentication.
NYC Health and Hospitals operates the largest municipal hospital system in the United States, serving millions of New Yorkers annually. The breach affects patients who received care across the system's facilities over an extended period.
The healthcare organization has not yet publicly identified the attackers or disclosed the attack method. Investigation into the incident is ongoing. The system said it is notifying affected patients and offering credit monitoring services as a precautionary measure.
The breach adds to a growing list of major healthcare data incidents in recent years. Patient medical records remain high-value targets for cybercriminals due to the sensitive personal information they contain and the difficulty patients face in remedying unauthorized access.
Experts recommend affected individuals monitor accounts for suspicious activity and consider freezing credit as a preventive measure. The incident underscores ongoing challenges healthcare providers face in protecting patient data against evolving cyber threats.
NYC Health and Hospitals has not announced disciplinary actions or systemic changes in response to the breach. The organization continues to investigate the full scope of the incident and assess any ongoing security vulnerabilities.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.