Supply‑Chain Breach Exposes Biometrics, Diagnoses, and Bank Details of 1.8 M Patients at NYC Health + Hospitals
What Happened – A third‑party vendor serving NYC Health + Hospitals was compromised, allowing attackers to copy files containing medical records, government IDs, banking data, and fingerprint/palm‑print biometrics for at least 1.8 million patients and employees. The intrusion spanned from late November 2025 through early February 2026.
Why It Matters for TPRM –
- Supply‑chain compromises can give threat actors unfettered access to highly regulated health data.
- Exposure of biometric identifiers creates a long‑term liability that cannot be “reset.”
- The breach demonstrates how a single vendor failure can cascade into a multi‑industry data‑privacy crisis.
Who Is Affected – Healthcare providers, health‑insurance carriers, payroll processors, and any downstream SaaS platforms that ingest NYC H+H data.
Recommended Actions – Review all third‑party contracts for security‑by‑design clauses, verify that vendors enforce encryption‑at‑rest and least‑privilege access, and conduct a rapid audit of any data‑sharing pipelines with NYC H+H.
Technical Notes – Attack vector: unauthorized access to a vendor’s network (third‑party dependency). No specific CVE disclosed. Data exfiltrated included PII (SSN, driver’s license, passport), PHI (diagnoses, medication lists, test results), financial records (bank and card numbers), and immutable biometrics (finger‑ and palm‑prints). Source: Malwarebytes Labs