NYC Health + Hospitals Vendor Breach Exposes 1.8 Million Patient Records
A data breach at NYC Health + Hospitals Corporation, the largest public health system in the U.S., may have affected over 1.8 million current and former patients and employees. The Department of Health and Human Services Office for Civil Rights breach portal was updated to reflect the compromise of personal and protected health information. Investigators found attackers had network access for 11 weeks, with the breach originating from a security incident involving one of the organization's vendors. Exposed data includes fingerprints and palm prints.
Nychealthandhospitals
- Sector
- Health Care and Social Assistance
- Signals
- 1 linked
Signal context
First seen: May 20, 2026
Last updated: Jun 29, 2026
Status: Public signal
Key points
- Data breach at NYC Health + Hospitals affected over 1.8 million individuals.
- Personal and protected health information, including fingerprints and palm prints, was compromised.
- Attackers had network access for 11 weeks.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Health Care and Social Assistance
Likely country: 🇮🇹 Italy
inferred from source domains
The feed marks multiple actor roles. Treat this as a review signal rather than a final attribution.
- Source type: outside the affected organization
- Source type: supplier or third-party involvement
Impact area: Confidentiality
Likely asset: User or customer data
- 6 signals in the same sector
- 90 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
NYC Health + Hospitals Biometric Breach: HIPAA, BIPA, and the Irreversibility Problemhttps://compliancehub.wiki/nyc-health-hospitals-biometric-breach-hipaa-bipa-2026/Public source from compliancehub.wiki.
Biggest Cyber Attacks, Data Breaches, Ransomware Attacks of May 2026https://cybermanagementalliance.com/biggest-cyber-attacks-data-breaches-ransomware-attacks-of-may-2026/Public source from cybermanagementalliance.com.
The Week in Breach News: May 20, 2026 | Kaseyahttps://www.kaseya.com/blog/the-week-in-breach-news-05-20-26/Public source from kaseya.com.
20 Maggio 2026 - CyberSecurity Italiahttps://www.cybersecitalia.it/date/2026/05/20/Public source from cybersecitalia.it.
2026 Data Breaches: Cybersecurity Incidents Explained - PKWAREhttps://www.pkware.com/blog/2026-data-breachesPublic source from pkware.com.
Related signals
Grouped by why the signal is relevant.
Huntsville Hospital Health System Notifies Patients of Data Exposure from Cerner Breach
Huntsville Hospital Health System informed patients on June 26, 2026, about a data exposure stemming from a 2025 breach on Cerner's (now Oracle Health) legacy systems. The breach, which occurred on January 22, 2025, exposed personal and medical information. Cerner had notified its healthcare clients, including Huntsville Hospital, on August 12, 2025, but patient notification was delayed at the request of law enforcement.
ACLA Data Breach Exposes Social Security Numbers and Medical Information
Anatomic and Clinical Laboratory Associates P.C. (ACLA) disclosed a data breach involving unauthorized access to its computer network. The breach, discovered in December 2025, exposed personally identifiable information (names, dates of birth, Social Security numbers, taxpayer identification numbers) and protected health information (medical dates of service, diagnoses, medical history) for 69 Massachusetts residents.
Kentucky Mountain Health Alliance Discloses Data Breach Affecting SSNs and Medical Records
Kentucky Mountain Health Alliance Inc., a nonprofit health center, disclosed a data breach to the Massachusetts Office of Consumer Affairs and Business Regulation on June 19, 2026. The incident involved unauthorized access to patient data, some of which was copied. The exposed information included driver's licenses, medical records, and Social Security numbers. The specific method of attack, dates of the incident, or discovery date remain unknown. The organization is offering affected individuals a free, two-year membership to identity monitoring services.
Horizon Family Medical Group Data Breach
Reports emerged on June 18, 2026, of a possible data breach at Horizon Family Medical Group, a medical provider in New York's Hudson Valley region. Threat actor Incransom claimed to have stolen 7 TB of data, including medical information such as diagnoses, prescriptions, treatments, and lab results.
iRhythm Confirms Data Stolen in Cyberattack, Ransom Demanded
Digital health company iRhythm Holdings confirmed a cyberattack involving certain third-party-hosted business applications. The company learned of the breach on June 8, 2026, which resulted in the theft of patient protected health information, proprietary data, and other personal data. Attackers subsequently demanded a ransom.
NIFTY Corporation Affected by KDDI Corporation Data Breach
NIFTY Corporation, a Japanese internet service provider, was impacted by a data breach originating from an email system provided by KDDI Corporation. Threat actors gained unauthorized access to this shared system by exploiting a vulnerability in third-party software. This led to the potential exposure of up to 14.2 million email addresses and passwords across all affected ISPs. NIFTY Corporation customers' email addresses and passwords may have been compromised.