NYC Health + Hospitals Data Breach Class Action Lawsuit
Medical Data Breach · Lawsuit Filed

NYC Health + Hospitals Class Action Says Breach Exposed 1.8 Million Patients' Medical Data and Fingerprints

By Steve Levine

NYC Health + Hospitals data breach class action lawsuit over stolen medical records and fingerprint scans

Published: June 10, 2026

Allegations Only · No Settlement Yet

This article describes a class action complaint. The statements below are unproven allegations. NYC Health + Hospitals has not been found liable, there is no certified class, and nothing to claim at this time. This page is informational and is not legal advice.

Status Complaint Filed Proposed class action · U.S. District Court, Southern District of New York
The Breach At least 1.8 million people affected Hackers in the network from late November 2025 to February 2026 · medical records, IDs & fingerprint scans reportedly stolen
Can I Claim? No — nothing to claim yet No settlement, no fund, no claim form at this stage

What Is This About?

New York City Health and Hospitals Corporation — the largest public hospital system in the United States — is facing a proposed class action lawsuit over a months-long cyberattack that exposed the personal, medical, and even biometric data of at least 1.8 million people. The suit, brought by lead plaintiff Deneice O'Connor in the U.S. District Court for the Southern District of New York, alleges the health system failed to take basic data-security steps to protect the sensitive information patients and employees entrusted to it.

NYC Health + Hospitals runs 11 public hospitals across the five boroughs — including Bellevue, Elmhurst, Harlem, Kings County, and Lincoln — along with dozens of community clinics, and serves more than a million New Yorkers a year. The filing of the complaint is only the beginning of the case: the health system has not been found liable, no class has been certified, and the allegations remain unproven.

The Data Breach Behind the Lawsuit

According to the health system's own breach disclosure and primary news reporting, attackers gained access to the NYC Health + Hospitals network through a compromise at an unnamed third-party vendor. The intruders were reportedly inside the network from late November 2025 until the intrusion was detected and contained in February 2026 — a window of more than two months.

The breach was reported to the U.S. Department of Health and Human Services in March 2026 as affecting at least 1.8 million people, a number that could grow as the investigation continues. The stolen data reportedly includes:

• Medical information — diagnoses, treatment plans, prescriptions, imaging, and health insurance details
• Identity documents, such as driver's licenses and passports
• Biometric data, including fingerprint scans
• Other personal identifying information held by the hospital system

The biometric element makes this breach unusually serious. A stolen password can be changed and a credit card can be reissued, but a fingerprint is permanent — once it is in criminal hands, it stays compromised for life.

What the Class Action Alleges

The complaint alleges that NYC Health + Hospitals failed to implement and follow reasonable, industry-standard data-security practices, and that this failure allowed hackers to roam its systems for months and steal a massive trove of patient and staff data. As a direct result, the suit says, class members now face a significantly increased — and potentially lifelong — risk of identity theft, financial fraud, medical identity fraud, and invasion of their health privacy.

Claims of this kind in healthcare data-breach cases typically sound in negligence, breach of implied contract, and violations of consumer-protection law, with HIPAA's security requirements often cited as the standard of care a health system should have met. As with any complaint, these are allegations only; a court has not ruled on whether NYC Health + Hospitals did anything wrong.

Is There a Settlement or Claim Form Yet?

No. This is a newly filed lawsuit, not a settlement. That means:

• There is no settlement fund.
• There is no claim form.
• There is no payout, and no deadline to act.
• Patients and employees do not need to do anything to "join" at this stage.

If the case eventually settles — as many large healthcare data-breach class actions do — a court-supervised claims process with its own eligibility rules and deadlines would be announced separately, and we will cover it. For examples of how that stage looks, see the open Lakeview Health data breach settlement or our roundup of open data breach settlements.

Who Could Be Affected?

The breach was reported as affecting at least 1.8 million people. Because no class has been certified, the exact class definition is not final, but the group would generally include patients (and potentially employees) whose information was held on the compromised systems. People most likely to be covered include:

• Anyone who received a data-breach notification letter from NYC Health + Hospitals
• Patients treated at NYC Health + Hospitals facilities or clinics in recent years
• People whose fingerprints or identity documents were on file with the health system

The health system has said affected individuals are being notified by mail. If you received a letter, keep it — it is the easiest way to confirm class membership if a settlement claims process ever opens.

What Should Affected Patients Do Now?

Even though there is nothing to file in the lawsuit, people caught up in the breach can protect themselves today. Use any free credit monitoring or identity-protection services offered in the breach notice. Review bank and credit card statements, credit reports, and especially medical insurance explanation-of-benefits statements for care you never received — medical identity theft often shows up there first. Consider placing a free credit freeze or fraud alert with the credit bureaus, and be alert for phishing calls, texts, and emails that use stolen details to appear legitimate. Details about the incident are posted in the official NYC Health + Hospitals breach notice.

What Happens Next?

The case will now move through the early stages of federal litigation: the health system may answer the complaint or move to dismiss, related cases filed by other patients may be consolidated, and the plaintiff will at some point ask the court to certify a class. Each of those steps can take months. Several plaintiffs' firms have also announced their own investigations into the breach, so additional complaints are possible.

OpenClassActions.com will watch the docket for major developments — consolidation, a motion to dismiss, class certification, or a settlement with a claim form — and update this page as the case advances.

Frequently Asked Questions

Is there a NYC Health + Hospitals settlement yet?

No. The case is a proposed class action lawsuit. There is no settlement, no fund, and no claim form. The health system has not been found liable just because a lawsuit was filed.

What data was stolen in the breach?

According to the breach disclosure and news reporting, the stolen data reportedly includes medical records (diagnoses, treatments, prescriptions, imaging, insurance details), identity documents such as driver's licenses and passports, and biometric fingerprint scans.

How do I know if I'm affected?

NYC Health + Hospitals is notifying affected individuals by mail. If you received a breach notification letter, you are in the affected group — keep the letter. The reported total is at least 1.8 million people.

Do I need to file a claim?

No. Because this is a lawsuit and not a settlement, there is nothing to claim and no deadline. If a settlement or certified class ever produces a claims process, eligibility rules and deadlines would be announced then. In the meantime, use any free monitoring offered and watch your accounts.

Sources

• U.S. District Court for the Southern District of New York — O'Connor v. New York City Health and Hospitals Corp. (proposed class action complaint)
NYC Health + Hospitals — Notice of Data Breach
Bloomberg Law — NYC Public Hospitals Sued Over Hack Affecting 1.8 Million People
TechCrunch — NYC Health and Hospitals says hackers stole medical data and fingerprints


For more class actions keep scrolling below.
Status Complaint Filed — Proposed Class Action
Case Title O'Connor v. New York City Health and Hospitals Corp.
Court U.S. District Court, Southern District of New York
Breach Window Late November 2025 – February 2026
People Affected At least 1.8 million
Official Breach Notice NYC Health + Hospitals Notice