NYC Health and Hospitals Suffers Massive Data Breach Affecting 1.8 Million Individuals New York City Health and Hospitals (NYCHH), the largest public health system in the U.S., has disclosed one of the most significant healthcare data breaches of 2026, exposing sensitive personal, medical, financial, and biometric information of at least 1.8 million individuals. The breach, detected on February 2, 2026, revealed unauthorized access to NYCHH systems between November 25, 2025, and February 11, 2026, with attackers exfiltrating files during that period. The compromised data includes protected health information (PHI), identity documents, financial records, and biometric data, such as fingerprints and palm prints details that cannot be replaced if stolen. Affected individuals may have had Social Security numbers, driver’s license numbers, medical records, insurance details, billing information, and even precise geolocation data exposed. The breach’s scale and sensitivity make it one of the most consequential in recent years, given the irrevocable nature of biometric data. NYCHH serves over a million New Yorkers, many of whom are uninsured or rely on public health programs like Medicaid. The organization has not identified the specific third-party vendor believed to be the initial entry point for the attack, though the incident aligns with a growing trend of healthcare breaches originating from compromised vendors. Hospitals increasingly depend on external partners for billing, electronic health records, and cybersecurity services, creating vulnerabilities when those vendors are breached. The timeline of the attack raises concerns: despite detecting suspicious activity on February 2, the unauthorized access persisted until February 11, meaning attackers remained inside the system for 11 weeks and continued operations even after discovery. NYCHH has since implemented enhanced detection tools, credential resets, and updated remote access policies to prevent future intrusions. This breach follows a string of major healthcare incidents in 2026, including breaches at Erie Family Health Centers (570,000 affected), Florida Physician Specialists (276,000), Coastal Carolina Health Care (110,000), and Western Orthopaedics (110,000), highlighting the persistent threat cybercriminals pose to the sector. NYCHH’s investigation remains ongoing, and the full scope of the exposure may evolve as the review of compromised files continues.

Novant Health suffered a data breach that disclosed sensitive data, including email addresses, phone numbers, financial information - even doctor's appointment details of about 1.3 million patients. Novant Health informed some of its patients following possible disclosure of protected health information (PHI) resulting from an incorrect configuration of a pixel, an online tracking tool. The leaked data also potentially included computer IP addresses, emergency contact information, advanced care planning contacts, appointment types and dates, patients' physicians, and various information types into text boxes or selected from drop-down menus and buttons via its patient portal.