Connect with us

CyberSecurity

NYC Health + Hospitals data breach: Hackers stole medical records and fingerprints of 1.8 million patients

Published

on

NYC Health + Hospitals data breach: Hackers stole medical records and fingerprints of 1.8 million patients

A massive NYC Health + Hospitals data breach has exposed the personal and medical information of at least 1.8 million individuals, including sensitive biometric data like fingerprints. The attack, which went undetected for months, ranks among the largest healthcare-related cyber incidents this year.

NYC Health + Hospitals (NYCHHC) is the largest public health system in the United States, serving over one million New Yorkers, many of whom are uninsured or rely on state benefits like Medicaid. The breach was disclosed in a notice filed with the U.S. Department of Health and Human Services, confirming the scale of the incident.

How the NYC Health + Hospitals data breach unfolded

The healthcare system detected the cyberattack on February 2, 2026, after hackers had already infiltrated its network. According to the breach notice, unauthorized access began in November 2025 and persisted until February 2026. During this window, cybercriminals copied files from NYCHHC’s systems before the organization managed to secure its network.

The breach originated from a compromise at a third-party vendor, though NYCHHC has not named the vendor involved. This incident highlights a growing trend: attackers targeting healthcare providers through their supply chain, exploiting weaker security links.

What data was stolen in the healthcare data breach?

The exposed data varies by individual but includes a wide array of sensitive information. Stolen records contain health insurance plan details, policy numbers, medical information such as diagnoses, medications, test results, and imaging scans. Additionally, billing, claims, and payment information were compromised.

Beyond medical data, hackers also accessed government-issued identity documents, including Social Security numbers, passports, and driver’s licenses. The breach notice mentions the theft of “precise geolocation data,” suggesting that user-uploaded photos of identity documents may have revealed exact locations where they were captured.

Most alarming is the theft of biometric data, specifically fingerprints and palm prints. Unlike passwords or credit card numbers, biometric identifiers are permanent and cannot be replaced. NYCHHC did not explain why it stored this data, though prospective employees typically provide fingerprints for criminal background checks. It remains unclear if patient biometrics were also taken.

Why healthcare remains a prime target for cybercriminals

This healthcare data breach is part of a broader pattern. Healthcare organizations have become frequent targets for financially motivated hackers due to the wealth of sensitive patient information they hold. Ransomware attacks, where criminals encrypt data and demand payment, are particularly common.

The FBI’s latest annual cybercrime report covering 2025 confirms that healthcare remains a top target for ransomware attackers. These criminals often steal data before encrypting it, threatening to publish the information if ransoms are not paid.

A notable example is the ransomware attack on UnitedHealth-owned Change Healthcare, which allowed Russian-linked hackers to steal medical and billing information from over 190 million Americans. That incident is considered the largest theft of U.S. medical data in history.

Impact on patients and response efforts

For affected individuals, the consequences are severe. Stolen medical records can be used for identity theft, fraudulent insurance claims, or even blackmail. Biometric data theft is particularly concerning because fingerprints cannot be changed, leaving victims vulnerable for life.

NYCHHC’s website was briefly offline as of Monday morning, complicating communication efforts. A spokesperson did not respond to inquiries about why the breach took months to detect or whether hackers demanded a ransom. The incident appears unrelated to a separate data breach at the National Association on Drug Abuse Problems (NADAP), which affected over 5,000 NYCHHC patients earlier this year.

Patients are advised to monitor their accounts for suspicious activity and consider placing fraud alerts on their credit reports. For more guidance, read our article on protecting your identity after a data breach. Additionally, learn about healthcare data security best practices for organizations.

What NYCHHC patients should do now

If you are a NYCHHC patient, take immediate steps to safeguard your information. Check your health insurance statements for unauthorized claims. Review your credit reports from the three major bureaus: Equifax, Experian, and TransUnion. Consider freezing your credit to prevent new accounts from being opened in your name.

Building on this, be cautious of phishing attempts. Hackers may use stolen data to craft convincing emails or phone calls. Never share personal information unless you are certain of the recipient’s identity.

The NYC Health + Hospitals data breach serves as a stark reminder of the vulnerabilities in healthcare systems. As cyber threats evolve, both providers and patients must remain vigilant to protect sensitive data.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

BlackFile Extortion Group Strikes Retail and Hospitality with Vishing Attacks

Published

on

BlackFile Extortion Group Strikes Retail and Hospitality with Vishing Attacks

A newly identified extortion group, known as BlackFile, has been systematically targeting retail and hospitality businesses since February 2026. Security researchers from Palo Alto Networks Unit 42, in collaboration with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC), published a detailed report on April 23. The report, titled Extortion in the Enterprise: Defending Against BlackFile Attacks, sheds light on the group’s financially motivated tactics.

This activity cluster, designated CL-CRI-1116, overlaps with publicly known threats like UNC6671 and Cordial Spider. Experts believe it is linked to the notorious collective “The Com.” Unlike many cybercriminal groups, BlackFile avoids custom malware. Instead, it relies on living off the land by misusing APIs and legitimate internal resources.

How BlackFile Uses Vishing to Breach Defenses

BlackFile’s primary entry point is through vishing attacks—voice phishing that impersonates an IT helpdesk. Attackers use spoofed VoIP numbers or fraudulent Caller ID names to hide their identity. Their goal is credential theft, often targeting one-time passwords.

To achieve this, they deploy phishing pages that mimic legitimate corporate single sign-on portals. Additionally, they employ antidetect browsers and residential proxies to mask their geographic location. This helps them bypass basic IP-based reputation filters, making detection harder.

Credential Theft and MFA Bypass

Once they steal a user’s credentials, BlackFile registers a new device to bypass multi-factor authentication (MFA). This step ensures persistent access. From there, they move laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to build contact lists for executives.

By compromising senior accounts through further social engineering, they gain broad-spectrum access. This access mirrors legitimate executive session activity, making it difficult to flag as malicious.

Data Exfiltration and Extortion Tactics

Inside the victim’s network, BlackFile focuses on SaaS data discovery and API abuse. They scrape SharePoint sites, searching for keywords like “confidential” and “SSN.” They also target Salesforce for high-value files and reports.

Data exfiltration happens directly through the browser or via API exports. By leveraging Salesforce API access and standard SharePoint download functions, they move large volumes of data—including CSV datasets of employee phone numbers and confidential business reports—to attacker-controlled infrastructure. This activity often occurs under legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.

Building on this, the group extorts victims via random Gmail addresses or compromised employee email accounts. They typically demand a seven-figure sum. In some cases, they resort to SWAT-ing C-suite executives to pressure payment.

Defending Against BlackFile Attacks

To mitigate these threats, organizations should focus on security policies and multi-factor identity verification for callers. Protocols around what information can be shared during calls are crucial. IT support actions should require escalation to management for sensitive requests.

Furthermore, security awareness training for frontline phone staff can be effective. Simulation-based scenarios help staff identify signs of social engineering, such as vague answers and high-pressure requests for immediate action. For more insights, check out our guide on cybersecurity best practices or learn about anti-phishing tools.

As a result, retail and hospitality businesses must stay vigilant. The BlackFile extortion group demonstrates how simple social engineering can lead to massive data breaches and financial loss. Proactive defense is the best countermeasure.

Continue Reading

CyberSecurity

Security Sweep on Air Force One: Gifts, Burner Phones, and Pins from China Trip Discarded

Published

on

Security Sweep on Air Force One: Gifts, Burner Phones, and Pins from China Trip Discarded

Upon departing Beijing after a two-day summit with President Xi Jinping, U.S. officials and journalists traveling on Air Force One were ordered to dispose of various items received during the visit. This unexpected directive, reported by a White House pool journalist, included staff burner phones, credential badges, and lapel pins issued by the Chinese government. The objects were placed in a bin at the foot of the aircraft’s stairs, with a clear instruction: nothing from China was allowed on the plane.

Why Were Items from the China Trip Banned?

While the official reason for the disposal remains undisclosed, security experts point to standard protocol against potential espionage. China, despite the cordial nature of the summit, is viewed as a key intelligence adversary by the United States. Washington and its allies have long accused Beijing of conducting cyberattacks and espionage operations. As a result, it is not far-fetched to assume that gifted items, such as the lapel pins worn by President Trump, Apple CEO Tim Cook, and Nvidia’s Jensen Huang, could have been bugged. Such precautions are not unprecedented in diplomatic history.

Burner Phones: A Necessary Precaution

Burner phones, designed for temporary use and easy disposal, are often employed in high-risk environments. In this context, the decision to discard them after the Air Force One China trip aligns with standard security practices. These devices may have been targeted for surveillance during the summit, making their removal a logical step. The White House has not commented on the specific threats that prompted this action, but the move underscores the heightened vigilance required in diplomatic engagements with rival nations.

Reactions and Implications for Future Summits

On social media, Emily Goodin, the White House correspondent for the New York Post, confirmed the order, stating, “Nothing from China allowed on the plane.” This incident raises questions about the balance between diplomatic courtesy and national security. As diplomatic travel security evolves, such measures may become more common. For reporters and officials, it serves as a reminder that even seemingly innocuous souvenirs can pose risks. The Air Force One China trip highlights the ongoing tension between cooperation and caution in U.S.-China relations.

In addition, the disposal of credential badges and pins suggests a comprehensive security sweep. While the summit appeared successful, the underlying cybersecurity and counterintelligence concerns remain. This event will likely inform future protocols for White House travel security, ensuring that all items from sensitive trips are vetted or discarded.

Ultimately, the decision to discard gifts and burner phones reflects a prudent approach to safeguarding national security. As geopolitical tensions persist, such practices may become standard, reinforcing the need for vigilance in every diplomatic exchange.

Continue Reading

CyberSecurity

Fast16 Sabotage Malware: The Pre-Stuxnet Cyber Weapon Targeting Iran’s Nuclear Program

Published

on

Fast16 Sabotage Malware: The Pre-Stuxnet Cyber Weapon Targeting Iran’s Nuclear Program

Security researchers have uncovered a piece of Fast16 malware that dates back to 2005, revealing a sophisticated cyber sabotage campaign aimed at disrupting Iran’s nuclear program years before the infamous Stuxnet worm. This discovery sheds new light on early state-backed cyber operations, offering a glimpse into the evolution of digital warfare.

What Is Fast16 Malware and How Was It Discovered?

Researchers from SentinelOne, Vitaly Kamluk and Juan Andrés Guerrero-Saade, recently published a detailed analysis of this early threat. Their investigation began with a simple question: did any malware featuring an embedded Lua virtual machine predate known state-sponsored campaigns like Flame or Project Sauron?

This line of inquiry led them to a service binary named svcmgmt.exe, which contained an embedded Lua 5.0 VM and referenced a kernel driver called fast16.sys. According to the researchers, this driver acts as a boot-start filesystem component that intercepts and modifies executable code as it is read from disk. Although it cannot run on Windows 7 or later systems, for its time, fast16.sys was far more advanced than typical rootkits, thanks to its position in the storage stack and its rule-based code patching capabilities.

How Fast16 Malware Differs From Stuxnet

One of the most striking aspects of this find is its timeline. Fast16 malware predates Stuxnet by at least five years, making it one of the earliest known examples of a cyber sabotage tool with a specific mission. While Stuxnet, discovered in 2010, was a highly sophisticated worm designed to sabotage Iran’s nuclear centrifuges, Fast16 stands out for its unique architecture.

Unlike typical worms of that era, Fast16 is the first recorded Lua-based network worm. Its carrier was designed to act like “cluster munition in software form,” capable of carrying multiple wormable payloads, which the researchers refer to as “wormlets.” This design allowed the malware to spread through Windows 2000 and XP systems, relying on default or weak admin passwords on file shares. However, it would only activate after checking that the targeted environment was not running specific security software—a level of environmental awareness that was notably advanced for its time.

Targets and End Goal of Fast16 Sabotage

The Fast16 malware was specifically crafted to interfere with three high-precision engineering and simulation suites popular in the mid-2000s: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. These tools were used for crash testing, structural analysis, and environmental modeling, with LS-DYNA believed to have been deployed by Iran.

The malware’s purpose was to corrupt the calculations produced by these tools, introducing small but systematic errors into physical-world simulations. By doing so, it could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage. As the researchers note, this framework serves as a reference point for understanding how advanced actors think about long-term implants, sabotage, and a state’s ability to reshape the physical world through software.

Interestingly, the malware was also referenced in the infamous Shadow Brokers leak of NSA hacking tools, tying it back to US offensive cyber operations. This connection reinforces the notion that state-sponsored cyber sabotage has a longer history than many realize.

For more insights on early cyber threats, check out our article on Stuxnet’s Legacy in Modern Cyber Warfare and learn about Early Malware Tools That Shaped Cybersecurity.

Why Fast16 Matters for Cybersecurity Today

This discovery highlights the importance of historical analysis in cybersecurity. By studying early threats like Fast16 malware, researchers can better understand the tactics, techniques, and procedures of state-sponsored groups. It also serves as a reminder that cyber sabotage is not a recent phenomenon—it has been evolving for decades.

As SentinelOne’s researchers conclude, Fast16 is a testament to the ingenuity of early cyber operators and a warning about the persistent threat of targeted malware. Organizations should remain vigilant, as similar techniques could still be used in modern attacks.

Continue Reading

Trending