NYC Health + Hospitals Breach: The Biometric Data You Can't Take Back - 2 Minute Drill

Hey everyone, I'm Drex and this is The Two Minute Drill. It's great to see you today. Here's some stuff you might wanna know about. Picture a waiting room at a New York City public hospital Harlem Hospital or Elmhurst or Bellevue or Kings County, these are places that catch the people who fall through every other gap in the system. They're uninsured, on Medicaid. They may not have any other options. New York City Health + Hospitals runs 11 hospitals and dozens of clinics across five boroughs, the largest public healthcare system in the country. About one point eight million New Yorkers depend on it, and at some point, someone in that organization made an important operational decision. They decided to collect biometric data from their patients, including fingerprints and palm prints, almost certainly for employee background checks, which routinely require fingerprint enrollment. Maybe patient identification, too, the kind of administrative call that gets made and gets documented somewhere and mostly is forgotten, except someone else remembered it. Sometime in November twenty twenty-five, cyber thugs got into their network, not by hitting the hospital directly. They came through a third-party vendor, a side door, and the organization still hasn't publicly identified the third party. And once the bad guys were in, they stayed, from November all the way to February second, twenty twenty-six, when someone finally caught it and locked them out. In that window, they took a lot of stuff, medical record info, including diagnosis, medications, tests and imaging, and insurance and billing data, government info like Social Security numbers and passports and driver's license, and photos. And some of those photos had more than just the image. Remember, a lot of cameras today embed precise geolocation information as the metadata in those images. The bad guys also took copies of fingerprints and palm prints. You can cancel a credit card in two minutes. A new password takes thirty seconds. Even a stolen Social Security number has a really painful but a real remediation path. But you can't get new fingerprints, not ever. What left the network in November is out in the world now, permanently. Fingerprints used for things like building access and background checks and border crossings and phone unlock and device authentication. There's no patching them. There's no patching that biometric data. There's no rotating them. They don't expire. New York City Health + Hospitals discovered the breach on February second. They told the public on May eighteenth, three and a half months later. The one point eight million people, most of them the patients with the fewest other options. I don't say all this to drag New York City Health + Hospitals. I say it because there's a thing I want you to think about because it may be happening in your health system, and if it is, you need to think about how to fix it. Every health system listening is collecting more biometric data than it was five years ago. Fingerprints on badge readers, palm vein scanners at patient check-in biometric authentication on EHR workstations and medical devices. It's faster and more practical than passwords, and almost none of the organizations doing it have stopped to ask, "Where exactly does that data live? Who can reach it? What contractual guardrails govern how our vendors handle it?" A password breach is recoverable. A biometric breach isn't. The data is permanent, and the organizations that haven't mapped where it lives won't know what they've lost until it's already gone. So when did you last inventory what biometric data your organization actually holds, and who has access to the data? And does it have any extra protections? It worries me, and it probably should worry you, too. That's it for today's Two Minute Drill. Drop me a note. Let me know what you're working on. I'm always happy to hear from you. I'm drex@229project.com. Thanks for being here, and stay a little paranoid. I'll see you around campus