NYC Health + Hospitals (NYCHHC) confirmed that a cyber intrusion, discovered on Feb. 2, accessed the network from Nov. 25, 2025 to Feb. 11, 2026. The breach exposed personal health informaation, insurance details, billing data and fingerprint scans of at least 1.8 million patients.

1.8 Million Records Stolen: What Types of Data Were Accessed?

According to the NYCHHC report, hackers obtained health insurance information , full medical records, billing and payment details, as well as biometric data such as fingerprint scans. The breadth of the stolen material means victims could face both identity theft and medical fraud.

NYCHHC’s Technical Response: New Tools and Tighter Remote Access

The public heaalth system says it has reset compromised credentials, deployed additional detection and protection tools, and tightened remote‑access policies. Enhanced monitoring is now in place to flag suspicious activity in real time, a move aimed at preventing a repeat of the Nov.–Feb intrusion window.

Advice to Affected Patients: Credit Alerts, Password Changes, and Law‑Enforcement Reporting

NYCHHC advises anyone whose data may be involved to change passwords, place fraud alerts or security freezes on credit files, and watch bank and insurance statements for unusual activity. Victims are also urged to contact law‑enforcement if they suspect identity theft,as the agency stresses that early reporting can limit damage.

Who Might Be Behind the Attack? Unverified Claims and Ongoing Investigation

While the breach has been publicly disclosed, the source does not identify the perpetrators. Security experts note that ransomware groups have previously targeted large health systems, but as of now no definitive attribution has been made .

What Remains Unclear: Scope of Biometric Compromise and Long‑Term Remedies

Two specific questions linger: how many fingerprint records were fully copied, and whether NYCHHC’s new security stack will be sufficient against sophisticated state‑backed actors... The agency has not released detailed metrics on the biometric loss,leaving patients and regulators seeking further clarification.