NYC Health + Hospitals Data Breach Affects 1.8M People

NYC Health + Hospitals, the largest public health care system in the United States, disclosed a data breach that affected approximately 1.8 million people.

The breach involved a broad range of sensitive information, including both personally identifiable information and protected health information. The exposed data fell into several distinct categories, each carrying different risks for affected individuals.

Health insurance and medical information was among the data compromised. According to the disclosure, this included insurance plans and policies, insurance company names and member or group ID numbers, Medicaid, Medicare and other government payor ID numbers, medical record numbers, disability codes, diagnoses, medications, test results, images and treatment plans. Exposure of medical records can lead to medical identity theft. This occurs when someone uses another person's health details to obtain care, prescriptions or insurance benefits without their knowledge.

Biometric information was part of the breach as well, including fingerprints and palm prints. Unlike a password or credit card number, biometric data cannot be changed or reissued once it has been exposed. This makes the compromise of biometric records a lasting concern for affected individuals. Billing, claims and payment information was also exposed.

The breach also included a broad set of other personal information including Social Security numbers, driver's license numbers, other government-issued identification numbers, taxpayer identification numbers and IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials and online account credentials.

The breach was reported to the U.S. Department of Health and Human Services on March 24, 2026. NYC Health + Hospitals also posted a notice of the data breach on its website.

NYC Health + Hospitals' response to the breach

NYC Health + Hospitals has begun the process of notifying individuals whose information may have been affected by the breach.

Details about what protective services or resources the organization is offering affected individuals, such as credit monitoring or identity theft protection, can be found in the notice on the organization's website. Individuals who believe their information may have been involved should review the notice for instructions on how to enroll in any available protections or access support services.

Individuals who have received care at any NYC Health + Hospitals facility should watch for official communications regarding the breach. Any notifications from the organization should include information about what specific data was affected and what resources are available to help protect against misuse of that information.

Steps to take if your information was exposed

• Place a credit freeze and fraud alert with all three credit bureaus. Contact Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (1-800-680-7289) to help prevent new accounts from being opened in your name.
• Review your credit reports for unfamiliar activity. Request free copies of your credit reports at AnnualCreditReport.com and look for any accounts or inquiries you do not recognize.
• Monitor your health insurance statements and medical records. Review Explanation of Benefits statements from your insurer for services or prescriptions you did not receive, which could be a sign of medical identity theft.
• Change passwords and enable two-factor authentication on your online accounts. Because online account credentials were among the data involved in this breach, update passwords on any accounts that may share the same login information.
• Watch for phishing attempts that reference NYC Health + Hospitals or this breach. Scammers may send emails, texts or calls pretending to be from the health system in order to steal additional personal information.
• File a report with the Federal Trade Commission if you suspect identity theft. Visit IdentityTheft.gov to create a personalized recovery plan and receive step-by-step guidance.