NYC Health + Hospitals Data Breach
NYC Health + Hospitals confirmed a data breach on May 18, 2026, where hackers stole medical data and fingerprints during a breach affecting at least 1.8 million people. The breach occurred through a third-party vendor compromise and stole highly sensitive medical records, insurance data, government IDs, geolocation information, and biometric fingerprints and palm prints.
Nychealthandhospitals
- Sector
- Finance and Insurance
- Signals
- 1 linked
Signal context
First seen: May 18, 2026
Last updated: Jun 25, 2026
Status: Public signal
Key points
- Affects at least 1.8 million people.
- Stolen data includes medical records, insurance data, government IDs, geolocation information, biometric fingerprints, and palm prints.
- Breach occurred through a third-party vendor compromise.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Finance and Insurance
Likely country: Location not provided
The feed marks multiple actor roles. Treat this as a review signal rather than a final attribution.
- Source type: outside the affected organization
- Source type: supplier or third-party involvement
Impact area: Confidentiality
Likely asset: User or customer data
- 17 signals in the same sector
- 80 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
Your Breaches of the Week! May 18 to May 24, 2026 - YouTubehttps://www.youtube.com/watch?v=rWEgY8KMCT0Public source from youtube.com.
NYC Health + Hospitals Biometric Breach: HIPAA, BIPA, and the Irreversibility Problemhttps://compliancehub.wiki/nyc-health-hospitals-biometric-breach-hipaa-bipa-2026/Public source from compliancehub.wiki.
Biggest Cyber Attacks, Data Breaches, Ransomware Attacks of May 2026https://cybermanagementalliance.com/biggest-cyber-attacks-data-breaches-ransomware-attacks-of-may-2026/Public source from cybermanagementalliance.com.
Related signals
Grouped by why the signal is relevant.
Xsolis Data Breach Affects Nearly 1.4 Million Individuals
Healthcare technology company Xsolis disclosed a data breach impacting approximately 1.4 million individuals. The incident stemmed from a targeted phishing attack on January 20, 2026, which led to unauthorized access to a limited portion of the Xsolis environment. Exposed data includes names, dates of birth, Social Security numbers, health insurance information, and medical treatment information. Xsolis provides AI-powered solutions for healthcare providers and payers.
London Hydro Discloses Data Breach Affecting Customer Information
Canadian electricity provider London Hydro announced a data breach that potentially impacted the personal and account information of its customers. The exposed data may include names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract dates, and meter numbers. The utility became aware of suspicious activity on a customer account on June 18, 2026, and an investigation determined a system vulnerability was exploited. No financial or other sensitive information like dates of birth or government IDs were compromised.
Nintendo of America Employee Data Stolen in TinyPulse Third-Party Breach
Nintendo of America confirmed on June 18, 2026, that internal employee survey data was stolen from TinyPulse, a third-party employee engagement SaaS solution owned by WebMD Health Services. The 'Shadowbyt3$' extortion group claimed responsibility, stating they exfiltrated approximately 1GB of data, including employee names, email addresses, analytics, survey data, bank statements, and W-9 forms. Nintendo's own systems and customer data were not compromised.
American Express Insider Data Breach Reported
American Express was involved in an insider data breach where an employee accessed the personal financial information of an individual. An investigation by the Australian Privacy Commissioner found the company breached privacy laws by failing to implement adequate restrictions on staff access to customer accounts.
NAIC Confirms Cyberattack on Oracle PeopleSoft Systems by ShinyHunters
The National Association of Insurance Commissioners (NAIC) confirmed a cyberattack on its Oracle PeopleSoft systems, part of a broader campaign by ShinyHunters exploiting CVE-2026-35273 between May 27 and June 9, 2026. The breach exposed publicly available statutory financial reporting information and credit rating agency data.
SoFi Hong Kong Confirms Third-Party Data Breach
SoFi Hong Kong, a subsidiary of the financial technology company SoFi, confirmed a data breach after hackers gained unauthorized access to a database at a third-party vendor containing customer information. The company is advising customers to update passwords, enable two-factor authentication, and monitor their accounts.