CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 20, 2026

Public NYC Health System Notifying 1.8M of Hack

Data Breach Today Archived May 20, 2026 ✓ Full text saved

Incident Involved an Unnamed Third-Party Vendor New York City's municipal healthcare system is notifying nearly 2 million patients of a hacking incident discovered earlier this year involving a third-party vendor. The breach compromised a long list of information, including biometric data such as fingerprints.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Data Breach Notification , Data Security , HIPAA/HITECH Public NYC Health System Notifying 1.8M of Hack Incident Involved an Unnamed Third-Party Vendor Marianne Kolbasuk McGee (HealthInfoSec) • May 19, 2026     Share Post Share Credit Eligible Get Permission Image: NYC Health + Hospitals New York City's municipal healthcare system is notifying nearly 2 million patients of a hacking incident discovered earlier this year involving a third-party vendor. See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level NYC Health + Hospitals, which serves more than 1 million patients annually, is a safety-net health system with 70 care locations, including multiple hospitals across the five boroughs of New York City. The U.S. Department of Health and Human Services' health data breach reporting site listed the NYC Health incident this week as affecting 1.8 million people. NYC Health first revealed the data breach in March (see: NYC Health Notifying Patients of 2 Third-Party Hacks.) NYC Health in a March 24 breach notice said the hackers appeared to have gained access to the organization's systems "due to a security breach at a third-party vendor." NYC Health did not immediately respond to ISMG's request for additional details about the breach, including the identity of the vendor at the center of the incident. The long list of information potentially compromised in the breach includes health insurance information, such as Medicaid, Medicare and private policy ID numbers, medical information, billing claims, Social Security numbers, credit and debit card numbers and biometric data including fingerprints and palm prints. "The biggest issue with biometric data is that it cannot really be reset," said Ross Filipek, CISO at security firm Corsica Technologies. "If a password is stolen, you can change it. If a fingerprint is stolen, that identifier is tied to a person permanently." Attackers may not be able to use that information everywhere immediately, but it can become more valuable over time as biometric authentication becomes more common across healthcare, financial services and identity systems, he said. The incident at the center of the March 24 breach notice is NYC Health's second hacking incident breach involving a third-party revealed so far this year. The healthcare organization in a breach notice published March 11 said that it was also notifying 5,086 of its patients of a hacking incident at one of its care management agency partners - National Association on Drug Abuse Programs - which provides care coordination services to individuals who receive services under a NYC Health home health program. A NYC Health spokesman had previously told ISMG that the two data breaches are separate incidents. "When a public health provider is hit at this scale, the ripple effects can be much larger than the organization itself," Filipek said. Patients may face fraud or medical identity theft, while the provider has to manage investigations, notifications, trust issues and operational strain, he said. "Public health systems also serve broad and often vulnerable communities, so a breach like this can create real fear among people who may already have limited options for care."
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 20, 2026
    Archived
    May 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗