NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
纽约市公立医院系统(NYC Health + Hospitals)称黑客在数据泄露事件中窃取了医疗数据和指纹,至少 180 万人受影响
New York public health provider NYC Health + Hospitals says a months-long data breach that allowed hackers to steal personal data, medical records, and fingerprints scans affects at least 1.8 million people. 纽约市公立医疗服务提供商 NYC Health + Hospitals 表示,一场持续数月的数据泄露事件导致黑客窃取了个人数据、医疗记录和指纹扫描信息,至少有 180 万人受到影响。
NYCHHC is the largest public health system in the United States and provides healthcare to over a million New Yorkers, the majority of whom are uninsured or receive state healthcare benefits, such as Medicaid. NYCHHC 是美国最大的公立医疗系统,为超过一百万纽约市民提供医疗服务,其中大多数人没有医疗保险或领取州政府医疗福利(如医疗补助计划 Medicaid)。
The healthcare system reported the number to the U.S. Department of Health and Human Services, making it one of the largest healthcare-related data breaches of the year so far. 该医疗系统已向美国卫生与公众服务部报告了受影响人数,使其成为今年迄今为止规模最大的医疗相关数据泄露事件之一。
Healthcare organizations have been repeatedly targeted by financially motivated cybercriminals in recent years in efforts to steal their vast banks of highly sensitive patients’ personal, medical, and billing information. 近年来,医疗机构屡屡成为以经济利益为动机的网络犯罪分子的目标,这些犯罪分子试图窃取其庞大的、高度敏感的患者个人、医疗及账单信息库。
In a data breach notice on its website, NYCHHC said that it detected a cyberattack on February 2 and secured its network. The hackers had access to its network from November 2025 until February 2026, during which the hackers copied files from its systems. 在其网站发布的数据泄露通知中,NYCHHC 表示于 2 月 2 日检测到网络攻击并保护了其网络。黑客在 2025 年 11 月至 2026 年 2 月期间能够访问其网络,并在此期间从其系统中复制了文件。
The healthcare system said hackers broke due to a breach at a third-party vendor, which it did not name. 该医疗系统称,黑客入侵是由于一家未具名的第三方供应商发生泄露所致。
NYCHHC said that the exposed data varies by individual and includes patients’ health insurance plan and policy information, medical information (e.g., diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised. NYCHHC 表示,泄露的数据因人而异,包括患者的健康保险计划和保单信息、医疗信息(如诊断、药物、检查和影像)、账单、索赔和支付信息。其他政府签发的身份证明文件,如社会安全号码、护照和驾照也遭到泄露。
The breach notice also says “precise geolocation data” was taken in the breach, suggesting that the user-uploaded photos of their identity documents may have also contained the exact location of where the document was captured. 泄露通知还提到,此次事件中还获取了“精确地理位置数据”,这表明用户上传的身份证明文件照片可能包含了拍摄该文件时的确切位置。
The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. NYCHHC did not provide an explanation for storing biometric data. Prospective NYCHHC employees are generally required to enroll their fingerprints for criminal records checks. It’s not yet known if patients’ biometrics were also taken. 此次泄露事件尤为敏感,因为黑客窃取了包括指纹和掌纹在内的生物识别信息,这些信息对受影响者来说是终身且无法更换的。NYCHHC 未就存储生物识别数据的原因作出解释。NYCHHC 的潜在员工通常需要录入指纹以进行犯罪记录检查。目前尚不清楚患者的生物识别信息是否也被窃取。
NYCHHC’s website was briefly offline as of Monday morning. A spokesperson for NYCHHC did not immediately respond to an email from TechCrunch with questions about the cyberattack. TechCrunch asked, among other things, why it took the organization months to detect the breach, and if it has received any communication from the hackers, such as a demand for payment. It’s not clear if NYCHHC can receive email at the time of the website outage. 截至周一上午,NYCHHC 的网站曾短暂离线。NYCHHC 的发言人没有立即回复 TechCrunch 关于此次网络攻击的询问邮件。TechCrunch 询问的问题包括:为什么该机构花了数月时间才发现此次泄露,以及是否收到了黑客的任何沟通(如勒索赎金)。目前尚不清楚在网站中断期间 NYCHHC 是否能够接收电子邮件。
The incident appears to be unrelated to the data breach at National Association on Drug Abuse Problems (NADAP) earlier this year, in which over 5,000 NYCHHC patients had information taken in the cyberattack. 该事件似乎与今年早些时候全国药物滥用问题协会(NADAP)发生的数据泄露事件无关,在那次网络攻击中,超过 5,000 名 NYCHHC 患者的信息被窃取。
In the FBI’s latest annual report on cybercrime covering 2025, healthcare remained a top target for ransomware attackers — criminals who break into databases, steal a copy of the data while scrambling the victim’s servers, and threaten to publish the stolen data if the victim does not pay the hackers. 在 FBI 关于 2025 年网络犯罪的最新年度报告中,医疗行业仍然是勒索软件攻击者的首要目标——这些犯罪分子入侵数据库,窃取数据副本并加密受害者的服务器,如果受害者不支付赎金,他们就会威胁公布窃取的数据。
A ransomware attack on UnitedHealth-owned health tech giant Change Healthcare allowed Russian-linked hackers to steal the medical and billing information of more than 190 million Americans, believed to be the largest theft of U.S. medical data in history. 针对联合健康集团(UnitedHealth)旗下医疗科技巨头 Change Healthcare 的勒索软件攻击,使与俄罗斯有关联的黑客窃取了超过 1.9 亿美国人的医疗和账单信息,这被认为是美国历史上最大规模的医疗数据窃取事件。