{“lastseen”:”2026-05-19T18:09:01″,”description”:”NYC Health + Hospitals (NYC H+H) posted a data breach notice about a months\u2011long breach via a third\u2011party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, including medical records, government IDs, geolocation data, and even fingerprint and palm\u2011print biometrics.\\n\\nNYC H+H detected suspicious activity on February 2, 2026, and later confirmed that an unauthorized actor had access to parts of its network from roughly late November 2025 through February 2026.\\n\\nDuring this window, attackers copied files containing personal, medical, financial, and biometric information. The incident was reported to the US Department of Health and Human Services (HHS) on March 24, 2026, and currently affects at least 1.8 million individuals, making it one of the largest healthcare breaches of 2026 so far.\\n\\n\\n\\nNYC H+H attributes the intrusion to a breach at an unnamed third\u2011party vendor that had access to its systems. This fits the current pattern of supply-chain compromises, where a vendor becomes the entry point for attackers to gain access to their clients’ systems or data.\\n\\nIncidents like these are a textbook example of how deeply personal health data can fuel long\u2011term fraud, stalkerware\u2011like abuse, and permanent privacy loss.\\n\\n* * *\\n\\n\\n\\n### See if your personal data has been exposed.\\n\\nSCAN NOW\\n\\n* * *\\n\\n## Types of data\\n\\nAccording to NYC H+H\u2019s notice and related write\u2011ups, the exposed dataset is unusually broad and detailed.\\n\\nWe can divide the data into three distinct layers:\\n\\n * **Classical PII, which can be combined with other leaked datasets:** Full names and contact details. Government\u2011issued identifiers, including Social Security Numbers, driver\u2019s license and passport numbers, other government ID numbers, taxpayer IDs, and IRS identity protection PINs. The breach also exposed billing and payment records, plus bank and card data, which can be used for direct financial theft and highly convincing social engineering.\\n * **Medical and insurance data** : Detailed diagnoses, medication lists, and test results expose conditions people may have kept private from employers, family, or insurers, enabling blackmail, targeted scams, and discrimination. Insurance and claims data can be abused to submit fraudulent claims, redirect reimbursements, or impersonate existing identities in healthcare systems.\\n * **Biometrics** : These are at least as sensitive as medical history because they tend to stay with you for life. They are not easy to erase or replace. Once compromised, large biometric databases become long\u2011term liabilities for everyone who relies on them as trustworthy identifiers.\\n\\n\\n\\nUnfortunately, this is part of a broader pattern. The FBI\u2019s Internet Crime Complaint Center (IC3) reports that healthcare was the most targeted critical infrastructure sector for ransomware in 2025, with 460 ransomware incidents and 182 reported healthcare data breaches.\\n\\nThe Change Healthcare ransomware attack alone exposed medical and billing data for more than 190 million Americans, highlighting how a single healthcare intermediary can disrupt an entire system.\\n\\n## What to do if you\u2019re involved\\n\\nIf you’ve interacted with NYC Health + Hospitals, there’s a possibility your personal information could be affected.\\n\\nNYC Health + Hospitals is making identity theft prevention and mitigation services, including credit monitoring, available through Kroll Information Assurance, LLC for a period of 24 months at no cost to all individuals who have worked for or been a patient of NYC Health + Hospitals. For more details check its data breach notice.\\n\\nIf you think you’ve been affected by a data breach, here are steps you can take to protect yourself:\\n\\n * **Check the company\u2019s advice.** Every breach is different, so check with the company to find out what\u2019s happened and follow any specific advice it offers.\\n * **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don\u2019t use for anything else. Better yet, let a password manager choose one for you.\\n * **Enable two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can\u2019t be phished.\\n * **Watch out for impersonators.** The criminals may contact you posing as the breached platform. Check the official website to see if it\u2019s contacting victims and verify the identity of anyone who contacts you using a different communication channel.\\n * **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.\\n * **Consider not storing your card details**. It\u2019s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.\\n * **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.\\n\\n\\n\\n* * *\\n\\n****Let ‘s face it, an incognito window can only do so much.** \\n \\n**Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.”,”published”:”2026-05-19T15:56:38″,”modified”:”2026-05-19T15:56:38″,”type”:”malwarebytes”,”title”:”Biometrics, diagnoses, and bank details exposed in major healthcare breach”,”source”:””,”references”:””,”id”:”MALWAREBYTES:5EC4CCFD1066A684C386B5078A9A2E2C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/05\/biometrics-diagnoses-and-bank-details-exposed-in-major-healthcare-breach”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-19T18:09:01″,”description”:”NYC Health + Hospitals (NYC H+H) posted a data breach notice about a months\u2011long breach via a third\u2011party vendor that exposed highly sensitive patient and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-55616","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n