NYC Health + Hospitals Data Breach Exposes 1.8 Million Records Including Biometrics
NYC Health + Hospitals experienced a major data breach, reportedly impacting about 1.8 million people. Attackers accessed and exfiltrated highly sensitive data, including personal information, medical records, insurance details, Social Security numbers, passports, driver's licenses, billing data, and biometric data such as fingerprints and palm prints. The intrusion began in November 2025, with suspicious activity detected on February 2, 2026. While the breach was reported to HHS on March 24, 2026, widespread public notification became prominent in May 2026, with reports on May 24, 2026. The incident is attributed to a third-party vendor compromise.
Nychealthandhospitals
- Sector
- Finance and Insurance
- Signals
- 1 linked
Signal context
First seen: May 24, 2026
Last updated: Jun 24, 2026
Status: Public signal
Key points
- Impacted approximately 1.8 million individuals.
- Stolen data includes personal information, medical records, insurance details, SSNs, passports, driver's licenses, billing data, and biometric data (fingerprints, palm prints).
- Breach occurred between November 2025 and February 2026.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Finance and Insurance
Likely country: Location not provided
The feed marks multiple actor roles. Treat this as a review signal rather than a final attribution.
- Source type: outside the affected organization
- Source type: supplier or third-party involvement
Impact area: Confidentiality
Likely asset: User or customer data
- 14 signals in the same sector
- 66 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
Your Breaches of the Week! May 18 to May 24, 2026 - YouTubehttps://www.youtube.com/watch?v=rWEgY8KMCT0Public source from youtube.com.
NYC Health + Hospitals Biometric Breach: HIPAA, BIPA, and the Irreversibility Problemhttps://compliancehub.wiki/nyc-health-hospitals-biometric-breach-hipaa-bipa-2026/Public source from compliancehub.wiki.
Related signals
Grouped by why the signal is relevant.
Texas Parks and Wildlife Department data breach exposes over 3 million driver's licenses
The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. The compromised data included driver's license information, passport numbers, email addresses, phone numbers, and residential addresses. Social Security Numbers, dates of birth, or financial information were not impacted.
Nintendo confirms data stolen in WebMD subsidiary cyberattack
Nintendo of America confirmed that survey data was stolen from TinyPulse, a third-party service used internally for employee surveys. The company emphasized that its own systems were not compromised, and no personal customer or financial data was accessed. The data involved was limited to internal survey content from a small subset of employees, with most information dating back several years. The Shadowbyt3$ extortion group claimed responsibility, demanding a $2 million ransom.
American Express Insider Data Breach Reported
American Express was involved in an insider data breach where an employee accessed the personal financial information of an individual. An investigation by the Australian Privacy Commissioner found the company breached privacy laws by failing to implement adequate restrictions on staff access to customer accounts.
SoFi Hong Kong Confirms Third-Party Data Breach
SoFi Hong Kong, a subsidiary of the U.S.-based financial technology company SoFi, confirmed a data breach after unauthorized access was gained to a customer information database managed by a third-party vendor. The incident was detected on April 30, 2026, and publicly disclosed on June 8, 2026. The compromised data included names, dates of birth, addresses, email addresses, phone numbers, and employment and education information. The company stated that no account passwords or financial account numbers were reportedly exposed. The attack involved social engineering and exploitation of third-party vendor access. SoFi Hong Kong advised customers to remain vigilant for phishing attempts and suspicious activity.
Singing River Health System reports data breach affecting patient information
Singing River Health System notified patients about a hacking incident where an unauthorized party accessed its computer network between December 19-21, 2025. Files containing patient information, including names, contact info, SSNs, driver's license numbers, dates of birth, bank account info, and health insurance details, were viewed and potentially copied.
Pivot Health data breach exposes sensitive health details from AWS environment
Pivot Health disclosed a data breach where an unauthorized actor gained access to its Amazon Web Services (AWS) cloud environment between February 26, 2026, and March 13, 2026. This exposed personal and health insurance information for 8,391 individuals, including names, dates of birth, health insurance details, and financial account information.