Hackers have stolen from 1.8 million people not just social security numbers and medical records - but also fingerprints, palm prints and precise location data. The victim is NYC Health + Hospitals, the largest public health system in the United States, serving more than one million New Yorkers, mostly uninsured or Medicaid patients.

The damage report reads like a nightmare. The hackers had access for more than three months - from November 2025 to February 2026, until the breach was detected on 2 February. In that time, they pulled out literally everything: diagnoses, medications, test results, medical imaging, billing information, insurance details, passport and driver's licence numbers. Biometric data for which there's no password reset.

The entry didn't come from the hospital's systems directly - it came through a third-party vendor whose name still hasn't been disclosed. A classic weak point in American healthcare: large institutions are wired to dozens of outside service providers, and one weak link opens every door.

The response is staggering: at the time of writing, the NYC Health + Hospitals website was offline, and the spokesperson refused to comment. The institution issued a notice only on its own page - when it works again. The victims who can least afford a lawyer or credit monitoring now have to live with the knowledge that even their fingerprints are in criminal hands.

This breach is one of the biggest in the healthcare sector for 2026, and it raises an uncomfortable question: if even America's largest public health system can't protect biometric data, who can? And why exactly are fingerprints and palm prints being collected from patients coming in for treatment in the first place?