InfoSecBulletin Cybersecurity for mankind
A big data breach has put the personal information of at least 1.8 million patients at risk. Hackers were in the healthcare network for months from November last year to February. They quietly copied very sensitive files before anyone found out.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
The stolen data includes medical records, payment info, ID numbers, and fingerprint scans that people can’t replace.
NYC Health + Hospitals is the biggest public-hospital system in the US. On May 18, 2026, they said a third-party vendor let in a breach that exposed personal and medical information of at least 1.8 million people.
What Happened
The Vendor Compromise:
NYC Health + Hospitals said the entry point was a vendor that could access their data, but they have not named the vendor yet. This vendor allowed the attackers to enter the system from November 25, 2025, to February 11, 2026, which is about two and a half months before NYC H+H found out on February 2, 2026, and shut it down. They discovered the problem nine days before the end of the intrusion, meaning they were trying to contain the issue while it was still happening. NYC H+H hired outside cybersecurity and data-analytics companies to assess the breach and find affected people.
The Notification Window
NYC H+H found the breach on February 2, 2026, and told the public on May 18, 2026, which took about 105 days. The HIPAA Breach Notification Rule usually says that notice must be given within 60 days if there is a risk to people. NYC H+H took longer than what HIPAA allows for a breach like this, especially since the breach lasted over 70 days before it was found. The HHS Office for Civil Rights will look closely at how long it took to notify after the breach was discovered.
NYC Health + Hospitals is the biggest public hospital system in the U.S. It has eleven hospitals for urgent care, five centers for long-term care, and many community clinics. Most of its patients rely on Medicaid, are undocumented, or have no other healthcare choices. This breach hurts the people who can least handle identity theft, fraud, and the costs of resetting their credentials. The exposure of fingerprints makes this worse. A set of 1.8 million fingerprints, once shared or sold, is permanently in the hands of bad actors. There is no way to reset this like a password.
Ross Filipek, CISO at Corsica Technologies told what makes this breach so alarming is not just the nearly two million people impacted, but the information stolen.
“Medical records, financial details, and even fingerprint data create a long-term problem for victims because, unlike a password, biometric data cannot simply be reset after exposure,” Filipek explained.
Related News:
Healthcare Data Breaches affect 88 Million Americans
Bangladeshi health institution hacked, leaked sensitive data
No more medical files, Gov.t plan to have your digital record
Criminal store thousand Bangladeshi’s finger print
