If you read my piece earlier in the week on the NYC Health + Hospitals breach, you know what makes this breach different and harder to fix.

Hackers spent nearly ten weeks inside the network of the largest public health system in the United States, took the fingerprints of at least 1.8 million people, and the response was 24 months of credit monitoring.

Now the monitoring isn’t worthless. It covers real financial fraud risk. But it’s aimed at the wrong threat for the wrong timeframe. And NYCHHC isn’t a one-off. It’s the most visible example so far of something that’s going to keep happening.

Biometric data collection has expanded rapidly across healthcare, government, workplaces, and financial services over the past decade. Each new collection point is another institution whose vendor could be compromised, and another population of people who had no meaningful say in the collection and will have no real remedy after the exposure.

The advice below is written for anyone in the NYCHHC dataset. But it applies equally to anyone whose fingerprints have ever been collected by an employer, a hospital, a government agency, or a background check vendor. That population is much larger than 1.8 million people, and it’s growing. Odds are you fall in that bucket.

Before getting into what to do, there are two risk timelines worth understanding, because they require different responses and almost no breach coverage distinguishes between them.

The first is immediate and concrete. The second is slower and speculative in the short term, but increasingly probable as tools get cheaper and the data ages.

Share

The Near-Term Threat Isn’t the Fingerprints

First things first. The near-term risk in this breach isn’t the biometric data. It’s what the biometric data comes packaged with because this breach didn’t take fingerprints alone. It took:

medical records, health insurance details, specific diagnoses and medications, Social Security numbers, passports, driver’s licenses, geolocation data, and financial account information.

That combination is the raw material for medical identity fraud, a specific and growing crime where someone uses your insurance to obtain prescriptions, medical equipment, or procedures in your name. You often don’t find out until a debt collector calls about a bill for a procedure you never received, or you go to use your benefits and find they’re exhausted.

While the theft of fingerprints are what gets the most attention, they aren’t the primary weapon by scammers in this scenario. What they do is make impersonation more convincing. An attacker who can call your insurer knowing your diagnosis, your medications, your policy number, and your SSN is already dangerous. Having the biometric data on hand is just one more piece to support the scam.

The Long-Term Threat Is Real, Just Slower

Stolen fingerprint templates can be used to reconstruct fingerprint images. With accessible equipment, including 3D printers and materials like silicone or gelatin, researchers have demonstrated the ability to create physical spoofs capable of fooling most consumer fingerprint sensors, including the ones used for mobile banking. This has been shown in controlled research and in real-world demonstrations.

The barrier today is effort because it takes more work than cracking a stolen password. But biometric data has an indefinite shelf life, and the tools to exploit it are getting cheaper every year. The people in this dataset will still be in it when the economics become more feasible.

The OPM case is the clearest precedent. When the Office of Personnel Management disclosed in 2015 that 5.6 million fingerprint records had been stolen, the agency acknowledged that:

“the ability to misuse fingerprint data is limited -- however, this probability could change over time as technology evolves.”

That was eleven years ago. The technology has evolved. The people whose fingerprints were taken have no more options now than they did then. The people in the NYCHHC dataset will still be in it when the economics shift. So will anyone else whose fingerprints are sitting in an institutional database somewhere.

Share

What the Credit Monitoring Is Actually For

The monitoring NYCHHC is offering is oriented toward financial fraud such as new credit accounts opened in your name, hard inquiries, score changes, etc. That’s the risk model that all breach responses are built for, because it’s the one with established, clear remedies. Biometric exposure doesn’t fit into it, and medical identity fraud fits into it imperfectly at best. Neither is the core use case the monitoring was designed for.

Part of why the remediation is so narrow is that there’s no legal framework requiring anything broader. There’s no federal biometric privacy law. HIPAA governs how healthcare institutions must secure data, not whether they should be collecting certain kinds of data in the first place.

Illinois’ Biometric Information Privacy Act is the closest thing to a meaningful framework in the country, and it only applies in one state. NYCHHC collected millions of fingerprints under a legal framework designed for an earlier era, and the remediation framework that kicked in when it was breached was designed for a different kind of data entirely.

The steps below address the actual threat. Some are specific to people in the NYCHHC dataset. Most apply to anyone whose biometric data has ever been held by an institution, which, if you’ve been employed, treated at a major healthcare system, or processed through a government agency in the last decade, is probably you.