You Can't Reset Your Fingerprints. Hackers Just Stole 1.8 Million of Them From NYC Hospitals

Three months of undetected access. 1.8 million people’s most sensitive records. And at the center of the breach, a category of data that cannot be changed, reset, or replaced: fingerprints.

NYC Health + Hospitals, the largest public healthcare system in the United States, disclosed this week that hackers maintained access to its network from November 2025 through February 2026, copying files containing personal data, medical records, and biometric information belonging to at least 1.8 million people. The organization detected the intrusion on February 2 and attributed it to a compromise at an unnamed third-party vendor, according to a breach notice posted on its website. NYCHHC reported the breach to the US Department of Health and Human Services, making it one of the largest healthcare-related data breaches recorded so far this year.

What separates this incident from the routine cycle of healthcare data thefts is the fingerprints. Alongside the expected haul — Social Security numbers, diagnoses, medications, medical imagery, billing records, passports, and driver’s licenses — the hackers copied fingerprint and palm print scans. Biometric identifiers that their owners will carry, unchanged, for the rest of their lives.

Permanent Exposure

A stolen password takes minutes to reset. A compromised credit card arrives in the mail within days. Fingerprints offer no such recourse. Once that data exists outside your control, the exposure is structural and permanent.

NYCHHC has not publicly explained why it was storing biometric data. According to TechCrunch, which first reported the breach, prospective employees of the healthcare system are generally required to enroll fingerprints for criminal background checks. Whether patients’ biometric data was also compromised remains unknown.

The breach notice also disclosed that “precise geolocation data” was taken — likely metadata embedded in user-uploaded photos of identity documents, revealing exactly where those images were captured.

Healthcare as Target

Healthcare organizations remain a top target for ransomware operators, according to the FBI’s 2025 annual cybercrime report. The logic is brutal and simple: medical records combine identity information with intimate personal details, making them among the most valuable commodities on underground markets.

NYCHHC serves over a million New Yorkers, the majority of whom are uninsured or rely on state healthcare benefits such as Medicaid. The population hit by this breach is, by design, among the least equipped to absorb the financial and legal fallout of identity theft.

The scale, while significant, falls well short of the 2024 ransomware attack on UnitedHealth-owned Change Healthcare, in which Russian-linked hackers stole medical and billing data belonging to more than 190 million Americans — the largest recorded theft of US medical data in history. But the Change Healthcare breach did not involve biometric data. This one did.

The Questions Nobody Answered

TechCrunch reports that NYCHHC did not respond to questions about why the breach went undetected for three months, whether the organization has received ransom demands, or why the public disclosure came roughly three months after the intrusion was discovered. The healthcare system’s website was briefly offline as of Monday morning.

The third-party vendor responsible for the initial compromise has not been named. The incident appears unrelated to a separate breach at the National Association on Drug Abuse Problems earlier this year, which affected more than 5,000 NYCHHC patients.

The Biometric Future Has a Trust Problem

This breach arrives at a moment when technology companies are aggressively pushing biometric authentication — fingerprint scanners, facial recognition, palm-vein readers — as the successor to passwords. The pitch is seductive: biometrics are convenient, unique, and cannot be forgotten. The catch, which 1.8 million New Yorkers are now confronting, is that they also cannot be replaced.

Every new deployment of biometric collection — at hospitals, schools, employers, border crossings — creates another repository that must be defended indefinitely. The NYCHHC breach demonstrates how fragile that defense can be, particularly when it depends on third-party vendors whose security practices are invisible to the people whose data is at stake.

If a public healthcare system serving the most vulnerable population in the largest city in the United States cannot protect the biometric data it collects, the industry-wide assumption that fingerprints are a safe authentication mechanism deserves harder scrutiny. The technology to capture biometrics has outpaced the institutional capacity to secure them. That gap is where people live.

Sources

NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people — TechCrunch

Discussion (9)

Mike_T_82

Why does a HOSPITAL need your fingerprints?? This makes zero sense. What are they gonna do, arrest you for being sick? 🤦‍♂️

3 ↑

DataDragon404

Did you read past the headline? It says the fingerprints were from prospective employees for criminal background checks, not patients. RTFA before you start ranting.

8 ↑

nothingburger

This is a nothingburger. Your fingerprints are already on everything you touch anyway. Every glass at a bar, every door handle, your phone screen. If someone really wanted your prints they wouldn't need to hack a hospital database. Plus what exactly are they gonna do with 1.8 million fingerprint images? Use them to unlock phones one at a time? Please.

7 ↑

securethebag

The fact that you leave prints on glasses doesn't mean anything. A fingerprint on a glass can't be used to authenticate as you remotely. A high-resolution digital scan of your fingerprint stored in a database CAN be used to spoof biometric systems. These are completely different things and it's weird how confident you are while being this wrong.

15 ↑

patriot_eyes

THREE MONTHS undetected and we're supposed to believe this was just some random hackers? The "unnamed third party vendor" is the key detail everyone's skipping over. They won't name the vendor because it's probably a government contractor or someone connected. This is how surveillance states get built — first they collect the data "for background checks," then oops it gets "stolen," and suddenly your biometrics are in a database you never agreed to. Wake up people.

12 ↑

Linda M. Rojas

The comparison to the Change Healthcare breach is illustrative. That incident affected 190 million people but didn't involve biometric data, and this one affects far fewer people but includes fingerprints that cannot be reset. These are fundamentally different risk profiles. I worked in healthcare IT for twenty-two years, and the third-party vendor problem has only gotten worse as systems have grown more interconnected. Organizations essentially outsource their security posture when they integrate vendor access, and most have no real auditing capability over those vendors' practices.

24 ↑

grumpydad1958

Back when I started working you gave your social security number and that was the end of it. Nobody needed your fingerprints to let you push papers around a hospital. Now every employer wants biometric data, every app wants face ID, every website wants your phone number. And for what? So it can all get stolen by some teenager in Eastern Europe anyway. *sigh*

18 ↑

kels_99

this is absolutely terrifying and nobody will do anything about it

2 ↑

Jen_from_Queens

Great. I applied for a job at NYC H+H in December. Right in the middle of when these hackers were in the system. So my fingerprint AND my social are just out there now?? I literally can't change my fingerprint. Has anyone actually received one of those breach notices yet? Because I haven't gotten anything and I'm kind of freaking out.

6 ↑