They Stole Your Fingerprints and You Can't Get New Ones
The NYC Health + Hospitals breach is different from every data breach story you've read
Every data breach breach story provides some variation of the following advice for victims:
Change your password, keep an eye on your credit report, and you’ll probably be okay.
The NYC Health + Hospitals breach doesn’t have that. There is no version of “okay” available for the 1.8 million people whose data was taken, because among the things hackers walked out with were fingerprints and palm prints.
Those cannot be changed. They cannot be cancelled and reissued. The people in this database are more exposed today than they were in January, and that will still be true 15 years from now.
NYC Health + Hospitals, the largest public health system in the United States, disclosed the breach on May 18. Hackers were inside its network from late November 2025 through early February 2026, nearly ten weeks, entering through a compromised third-party vendor.
What was taken varies by individual but covers a lot of ground:
medical records
Social Security numbers
passports
driver’s licenses
health insurance details
billing and financial data
geolocation data
biometric data including fingerprints and palm prints.
NYCHHC is offering 24 months of credit monitoring to those affected. The fingerprints were almost certainly collected during employee onboarding, as prospective staff are generally required to enroll their fingerprints for criminal background checks. Whether patients’ biometrics were also compromised has not been confirmed.
The standard breach response assumes compromised data can be fixed in some form:
Passwords reset.
Credit cards get cancelled.
Even a Social Security number can be changed (even if not easily)
You can freeze your credit, set up an IRS identity protection PIN, and file fraud alerts.
The entire response to a data breach is built on that assumption.
Biometric data doesn’t fit into that arrangement though. A stolen fingerprint template is useful to a criminal today, in five years, and in twenty. It has no expiration date.
This isn’t the first time this has happened. In 2015, hackers breached the US Office of Personnel Management and took 5.6 million fingerprint records from federal employees and contractors. Those people were offered credit monitoring. More than a decade later, no additional remedy was ever provided. The NYCHHC breach just added 1.8 million more people to that list.
For the most part, this story is being treated as a healthcare cybersecurity story. Just another hospital breach that is unfortunate but familiar.
That’s not entirely wrong, but it misses something.
When an institution collects your fingerprints, it permanently takes on a liability that it can eventually shed but that you never can. NYCHHC can get breached, patch its systems, update its vendor contracts, issue its press release, and move on. The people in its database carry the exposure for the rest of their lives. The 24 months of credit monitoring is the institution’s closure. For the individual, there’s nothing similar because the exposure of biometric data never ends.
A 2024 survey by GetApp found that only 5% of consumers highly trusted technology companies to secure their biometric data, down from 28% in 2022.
If there’s one practical thing worth doing today, regardless of whether you’re directly affected by this breach, it’s reconsidering your use of biometric data.
Regular readers know we’re not a fan of the technology and have advised against it for some time. For your most sensitive accounts, including your personal devices, a strong PIN or passphrase has distinct advantages, including:
it lives only in your head and can be changed if something goes wrong.
Law enforcement (at least in the US) can’t compel you to provide a password to unlock your devices, but in some jurisdictions, they can compel you to use your biometrics
The harder question is what people are what to do about compulsory biometric use like at work or for some government service. And what are people owed when the government or an employer takes their biometrics then is compromised?
In most cases, it’s not an option to decline or opt out of providing your biometric data to an employer or the government. But two years of credit monitoring isn’t a true remedy. It’s laughably insufficient and disproportionate to the harm.
The fingerprints stolen from OPM in 2015 are still stolen, still potentially useful, and the people who lost them still have no meaningful remedy. Modern society has built an entire infrastructure for collecting biometric data without building any corresponding accountability for when it’s lost.
That needs to change.
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.
Know your doxxing risk. DoxxScore gives you a personalized exposure assessment and action plan in under 5 minutes. Get Your Risk Score →
Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.
Article sources:
Sources: