New York City’s public health provider, NYCHHC, reports a massive data breach that compromised medical records and biometric data for at least 1.8 million people.

The hackers had access to the network from November 2025 until February 2026, snatching everything from medical histories to fingerprints. The incident highlights the ongoing threats cybercriminals pose to healthcare systems, which store vast amounts of sensitive personal and health information.

Security experts are baffled by why NYCHHC stored biometric data, especially since this is a rare practice in most healthcare settings. Patients’ Social Security numbers, passports and driver’s licenses were also compromised, making the breach particularly troubling.

In a move that seems almost prophetic, precise geolocation data from user-uploaded identity photos was taken, suggesting hackers may have captured more than just digital files.

The breach comes at a time when healthcare organizations are frequently targeted by cybercriminals. NYCHHC’s failure to detect the breach sooner and any communication with the attackers raises questions about their cybersecurity measures.