The New York City Health and Hospital Authority says hackers stole medical data and fingerprints during a breach that affected at least 1.8 million people.

New York public health provider NYC Health and Hospitals says a months-long data breach that allowed hackers to steal personal data, medical records and fingerprint scans affects at least 1.8 million people.

NYCHHC is the largest public health system in the United States and provides health care to more than one million New Yorkers, most of whom are uninsured or receiving government health care benefits, such as Medicaid.

The healthcare system reported this number to the US Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year so far. Healthcare organizations have been repeatedly targeted by financially motivated cybercriminals in recent years trying to steal their vast banks of highly sensitive personal, medical, and billing information from patients.

In a data breach notice on its website, NYCHHC said it detected a cyberattack on February 2 and secured its network. The hackers gained access to its network from November 2025 to February 2026, during which the hackers copied files from its systems.

The health care system said it was compromised by hackers by a third-party vendor, which it did not name.

The data exposed varies by individual, and includes patients’ health insurance plan and policy information, medical information (such as diagnosis, medications, tests, and images), billing, claims, and payment information, NYCHHC said. Other government-issued identification documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised.

The breach notice also notes that “precise geolocation data” was captured during the hack, suggesting that photos the user uploaded of their identity documents may also contain the exact location of where the document was taken.

The breach is particularly sensitive because the hackers stole biometric information, including fingerprints and handprints, which affected individuals have for life and cannot replace. NYCHHC did not provide an explanation for storing biometric data. Prospective NYCHHC employees are generally required to register their fingerprints for a criminal records check. It is not yet known whether patients’ biometrics were also taken.

The NYCHHC website was briefly offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to discover the hack, and whether it received any communication from the hackers, such as a request for payment.

It is not clear if NYCHHC could receive email at the time of the website outage.

The incident appears to be unrelated to a data breach at the National Association on Drug Abuse Problems (NADAP) earlier this year, in which more than 5,000 patients in New York City accessed information obtained in the cyberattack.

In the FBI’s most recent 2025 Annual Cybercrime Report, healthcare remained the top target for ransomware attackers — criminals who break into databases, steal a copy of the data while jamming the victim’s servers, and threaten to release the stolen data if the victim doesn’t pay the hackers. A ransomware attack on health tech giant UnitedHealth-owned Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans, believed to be the largest theft of US medical data in history.