This week NYC Health and Hospitals – the largest public healthcare system in the United States – disclosed that hackers stole the personal data, medical records, and fingerprint scans of at least 1.8 million people. The attackers were inside the network for nearly three months before anyone noticed. The breach is one of the largest healthcare-related incidents reported to the U.S. Department of Health and Human Services this year.

The headlines so far have focused on the volume – 1.8 million victims, three months of undetected access, dozens of patient care sites, 45,000 healthcare workers in the affected employee pool. Those numbers matter. But there is a quieter, more unsettling part of this story that most coverage is mentioning in passing and few are sitting with carefully:

The hackers took fingerprints and palm prints. And those cannot be changed.

For every other breach we have covered this year – Canvas, Grafana, DigiCert, GitHub – the affected individuals had at least one form of recourse. Change a password. Freeze a credit report. Rotate a token. Enable two-factor authentication. These are not pleasant chores, but they are possible. A stolen Social Security number can be replaced. A compromised password can be changed. A leaked email address can be replaced with a new one over time.

A fingerprint cannot. A palm print cannot. The people whose biometric data was in the NYC Health and Hospitals systems now carry that vulnerability for the rest of their lives. There is no agency you can call to be issued new fingerprints. There is no process for revoking and reissuing your palm.

This story matters for a small business owner in the Triangle for reasons that have nothing to do with hospitals and everything to do with the kinds of data your business handles every day – often without realizing it.

What Happened, In Plain English

• The intrusion began around November 25, 2025. Hackers gained access to NYC Health and Hospitals systems through what outside cybersecurity experts have described as a compromised third-party vendor. NYCHHC itself has not publicly identified the vendor.
• They stayed undetected for nearly three months. The intrusion was not discovered until February 2, 2026 – roughly 78 days after the attackers first got in. During that time they were copying files from internal systems.
• They had broad access to deeply sensitive information. What was stolen, per the official notification:
  • Names, addresses, dates of birth, and contact information
  • Social Security numbers
  • Passport numbers and driver’s license numbers
  • Health insurance plan and policy information
  • Medical information including diagnoses, medications, lab tests, and imagery
  • Billing, claims, and payment information
  • Fingerprint and palm print scans
• The notifications began this week – more than three months after the breach was first detected. That delay between detection and individual notification is, unfortunately, typical for healthcare breaches but should not be normalized.
• The vendor was the entry point. NYC Health and Hospitals did not get hacked directly. A trusted third party they had given access to did.

Why the Fingerprint Part Should Make Every Small Business Stop

For most people, the word “biometrics” calls to mind security checkpoints at airports or the fingerprint unlock on a smartphone. It feels distant from small business life. But biometric data has been steadily moving into small business environments over the past decade, often through products that nobody thought of as biometric collectors at the time of purchase.

Consider how many of these are routine in a small business setting:

• Fingerprint time clocks. Many small businesses installed biometric timeclocks years ago to eliminate buddy-punching. Every employee who has ever clocked in is in that vendor’s database.
• Fingerprint unlock on company-issued phones and laptops. Even when the biometric is “stored only on the device,” the device manufacturer’s account ecosystem holds connected data, recovery information, and authentication patterns associated with that biometric.
• Building access systems. Fingerprint or hand-geometry readers at office doors. Employee badge systems that incorporate biometrics. Most small businesses bought these systems through a vendor who is not in the room when the data is being handled.
• Background check services and onboarding platforms. Every employee who has ever gone through a fingerprint-based background check has their print on file somewhere – with the contractor that processed it, with the state authority that ran the search, and often in third-party HR platforms that retained a copy.
• Banking and financial apps. Many small businesses now use mobile banking with fingerprint or face authentication. Those biometric templates live in the bank’s authentication infrastructure.
• Voice authentication for phone systems. Voice biometrics are increasingly common in customer service and authentication. Voiceprints, like fingerprints, cannot be changed.

None of these technologies are bad. Many of them are genuinely useful. The problem is not that small businesses use biometrics. The problem is that most small businesses have never made a list of which vendors hold which biometric data about which employees, what those vendors’ security postures are, or what their notification obligations would be if any of those vendors got breached.

NYC Health and Hospitals was storing fingerprint scans of employees – almost certainly for criminal background checks during onboarding. That is exactly the same category of biometric collection that happens at small businesses in every regulated industry. Medical practices. Daycare centers. Law firms. Real estate offices. Financial advisory practices. Anywhere that runs criminal background checks on staff is, somewhere along the chain, generating biometric records that live in a vendor system.

The lesson from this breach is not “stop using biometrics.” It is “know who is holding the biometric and other irreplaceable personal data your business collects, and have a plan for what happens if any of them is breached.”

The Vendor Risk Story Beneath the Story

We have written about this pattern repeatedly throughout our recent series. NYCHHC did not get hacked directly. A vendor they trusted did. That has been the through-line of every major breach we have covered – Canvas, Grafana, DigiCert, the FBI’s router warning. The attackers go after the weakest link in the chain, and once one trusted relationship is compromised, the data they were entrusted with becomes available to people who never had any right to it.

For a 20-person law firm in Cary, a 30-person medical practice in Raleigh, or a small manufacturer in Smithfield, the pattern works the same way. You have:

• A payroll vendor that holds every employee’s Social Security number, bank account number, address, and date of birth
• A health insurance broker who holds family member information for every plan participant
• A 401(k) administrator who holds even more financial detail
• A background check service that holds fingerprint records, driver’s license copies, and consent forms
• An HR platform that holds copies of I-9 documents, including passport photographs, driver’s license images, or Social Security card scans
• A workers’ compensation carrier that holds medical and injury information
• An accounting firm or CPA who holds tax records for the business and often the owners’ personal returns

Every one of those vendors has access to data that, if breached, would create real harm for real people – your employees, their families, and the business itself. And in most small businesses we walk into, nobody has ever made a complete list of who has what, audited what their security commitments look like, or thought through the notification consequences of a breach at any of them.

The NYC Health and Hospitals story is the giant-scale version of a problem that exists in nearly every small business we serve. The data categories are slightly different. The vendor names are different. The headcount is different. But the underlying structure is identical: your business depends on outside parties to hold and protect sensitive information about your employees and customers, and you do not have a clear picture of what would happen if any of them is breached.

The Three-Month Detection Gap

One detail from the NYCHHC story should not be glossed over: the hackers were inside the system for about 78 days before anyone noticed. That is on the faster end of the industry average for healthcare breaches – which is itself a depressing statement. IBM’s 2024 Cost of a Data Breach Report puts the average detection time at over six months across all industries. For some breaches we have covered, attackers stayed inside their target networks for over a year.

That gap matters because it determines how much damage gets done. Three months of access is enough time to map an entire network, find every database of value, copy what is worth taking, and leave persistence mechanisms behind. By the time a breach is detected, the attackers usually already have what they wanted – and the response becomes about damage control rather than prevention.

This is exactly the reason that active monitoring is the highest-leverage investment most small businesses can make in their cybersecurity posture. Not a fancier antivirus. Not a more expensive firewall. Just somebody whose job it is to actually look at what is happening on the network, on the cloud accounts, on the SaaS platforms – and to notice when something is off. The NYCHHC breach would have ended very differently if it had been caught in week one instead of week eleven.

The Personal Data Audit Most Small Businesses Have Never Done

If the Canvas breach prompted a vendor risk inventory conversation, the NYCHHC breach should prompt a slightly different one: a personal data audit.

A personal data audit asks a series of uncomfortable but important questions:

• What personal data does our business collect on employees, customers, and contractors? Names. Addresses. Dates of birth. Social Security numbers. Driver’s licenses. Passport copies. Bank account information. Health information. Family details. Biometric data. We rarely think of these as a category, but they are – and they all need protection.
• Which vendors and software systems hold each piece of that data? You will almost always discover that a single piece of data lives in more places than you realized.
• What does each of those vendors say in their security commitments? Have you actually read the data processing agreements? Most owners have not.
• What would your notification obligations be if any one of them was breached tomorrow? Federal HIPAA notification rules. State data breach notification laws (North Carolina has its own). Industry-specific regulations. Contractual obligations to customers. Each one comes with timelines and content requirements that are very hard to manage from a standing start during an actual incident.
• What is your incident response plan when a vendor announces a breach affecting your employees or customers? Most small businesses do not have one written down. The response is improvised, slow, and stressful.
• What biometric or other irreplaceable data does your business directly or indirectly collect? This is the question most owners have never asked. The answer is usually more than they expected.

The personal data audit is not the same as a vendor risk inventory – though they are closely related. The vendor risk inventory asks “which vendors does our business depend on?” The personal data audit asks “what personal data about real people are we responsible for, and where does it live?” Most small businesses need both. Most have done neither.

How Pendergrass Consulting Helps

The NYC Health and Hospitals breach illustrates something we have been saying throughout this year of breach coverage: the real cybersecurity work for a small business is not buying products. It is doing the unglamorous work of knowing what you have, who is responsible for it, where it lives, and what would happen if any one piece of that picture went wrong.

Our managed cybersecurity service for small businesses across the Research Triangle includes a dedicated Personal Data Audit as a defined engagement:

• Discovery interview with the business owner and any operations or HR lead – so we understand what your business actually does and what data you actually collect.
• Full inventory of personal data – employee data, customer data, contractor data, family member data, biometric data (often the most surprising category), and any sensitive document types that have accumulated over time.
• Vendor and system mapping – for each category of personal data, we identify every vendor and software system that holds it, including the ones the owner may not have realized had access.
• Notification obligation review – what your business would actually be required to do if any one of those vendors announced a breach tomorrow, including federal, state, and industry-specific requirements relevant to North Carolina businesses.
• Risk-prioritized findings – a clear report identifying which categories of data and which vendors represent the most exposure, with practical recommendations for each one.
• Incident response planning – a real, written playbook for what to do when a vendor of yours announces a breach. Not a generic template. A plan tailored to your specific environment.
• Quarterly reviews – because the vendor list changes, the data categories change, and new regulations come out. The audit is not a one-time event.

Most small business owners we walk through this exercise are surprised by what surfaces. The vendor they forgot they were still paying. The HR platform that still has access to former employees’ data. The biometric timeclock contract that quietly auto-renewed three years ago. The accounting firm that has been emailing tax records as PDFs to nobody-knows-where. These are not exotic problems. They are ordinary problems that compound over time when nobody is whose job it is to think about them.

If you have never had a real conversation about what personal data your business is responsible for, where it lives, and what would happen if any one of those locations was breached – that conversation is overdue. The NYC Health and Hospitals story is the most public possible example of what happens when that conversation has not been had. The first conversation with us is free, and there is no commitment beyond it.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses across the Research Triangle, Raleigh, Cary, Wake County, Johnston County, and nationally for web design, hosting, email, cloud backup, cybersecurity, and digital marketing services.