- Severity
- critical
- Records
- 5,556,702
- Vector
- Network Intrusion — unauthorized access to IT systems
- Organization
- Yale New Haven Health System
- Incident Date
- 2025-03-08
Executive summary
Yale New Haven Health System (YNHHS), one of the largest healthcare providers in New England, suffered a significant data breach in March 2025 that exposed the personal and medical information of 5,556,702 patients. The breach—the largest healthcare data breach of 2025—resulted in multiple class action lawsuits and an $18 million settlement.
Incident overview
| Attribute | Details |
|---|
| Victim organization | Yale New Haven Health System |
| Industry | Healthcare |
| Headquarters | New Haven, Connecticut |
| Discovery date | March 8, 2025 |
| Individuals affected | 5,556,702 |
| Systems compromised | IT network (not EMR) |
| OCR report date | April 11, 2025 |
| Settlement amount | $18 million |
| Settlement status | Preliminary approval October 2025 |
Timeline
| Date | Event |
|---|
| March 8, 2025 | Anomalous network activity detected |
| March 11, 2025 | YNHHS announces breach on website |
| April 11, 2025 | Breach reported to HHS Office for Civil Rights |
| April 2025 | Multiple class action lawsuits filed |
| Summer 2025 | Investigation and litigation ongoing |
| October 21, 2025 | Preliminary settlement approval granted |
| January 20, 2026 | Deadline for exclusion/objection |
| February 18, 2026 | Claim submission deadline |
| March 3, 2026 | Final approval hearing scheduled |
Data exposed
| Data type | Status |
|---|
| Full names | Confirmed |
| Home addresses | Confirmed |
| Phone numbers | Confirmed |
| Email addresses | Confirmed |
| Dates of birth | Confirmed |
| Social Security numbers | Confirmed |
| Race/ethnicity | Confirmed |
| Data type | Status |
|---|
| Patient types | Confirmed |
| Medical record numbers | Confirmed |
| Treatment information | Some patients |
| Healthcare provider details | Some patients |
NOT compromised
| System | Status |
|---|
| Electronic Medical Record (EMR) | Not accessed |
| Complete medical histories | Not in stolen files |
| Prescription records | Not confirmed exposed |
YNHHS confirmed that while their EMR system was not accessed, the stolen files contained significant patient information from other systems.
Impact assessment
Healthcare sector context
| Metric | Details |
|---|
| Ranking | Largest healthcare breach of 2025 |
| Affected population | ~5.56 million patients |
| Geographic impact | Primarily Connecticut, surrounding states |
| Service area | Yale-affiliated hospitals and clinics |
Risk to patients
| Risk | Description |
|---|
| Identity theft | SSNs enable fraudulent accounts |
| Medical identity theft | Medical record numbers can be misused |
| Targeted phishing | Detailed patient info enables scams |
| Insurance fraud | Healthcare info valuable for claims fraud |
Legal proceedings
Class action lawsuit
| Attribute | Details |
|---|
| Case name | In Re: Yale New Haven Health Services Corp. Data Breach Litigation |
| Case number | 3:25-cv-00609-SRU |
| Court | U.S. District Court, District of Connecticut |
| Judge | Hon. Stefan R. Underhill |
$18 million settlement
| Component | Details |
|---|
| Total fund | $18 million |
| Documented losses | Up to $5,000 per claimant |
| Undocumented losses | $100 per claimant |
| Credit monitoring | 2 years free for all class members |
| Medical data monitoring | 2 years free for all class members |
Covered expenses
| Expense type | Reimbursable |
|---|
| Fraud losses | Yes, up to $5,000 |
| Identity theft costs | Yes |
| Credit monitoring purchases | Yes |
| Time spent on remediation | Yes |
| Professional services | Yes |
Settlement claims process
Deadlines
| Deadline | Date |
|---|
| Exclusion/objection | January 20, 2026 |
| Claim submission | February 18, 2026 |
| Final approval hearing | March 3, 2026 |
How to file
| Step | Action |
|---|
| 1 | Visit yalenewhavensettlement.com |
| 2 | Verify eligibility with notification letter |
| 3 | Complete claim form |
| 4 | Submit documentation for losses (if applicable) |
| 5 | Await settlement distribution |
YNHHS response
| Action | Details |
|---|
| Incident response | Engaged cybersecurity experts |
| Law enforcement | Notified appropriate authorities |
| Patient notification | Individual letters sent |
| Regulatory reporting | Filed with HHS OCR |
| Benefit | Duration |
|---|
| Identity protection | 2 years |
| Credit monitoring | 2 years |
| Medical data monitoring | 2 years |
| Fraud resolution assistance | Included |
Healthcare breach context
2025 healthcare breach landscape
| Metric | Value |
|---|
| Total healthcare breaches (2025) | 534 confirmed |
| Total records breached | 276+ million |
| Average breach cost | $7.42 million |
| YNHHS ranking | #1 largest of year |
Contributing factors
| Factor | Impact |
|---|
| Legacy systems | Older infrastructure vulnerable |
| Interconnected networks | Lateral movement easier |
| High data value | Healthcare records premium target |
| Regulatory pressure | HIPAA requirements |
Recommendations
For affected patients
| Priority | Action |
|---|
| Critical | File settlement claim before February 18, 2026 |
| Critical | Enroll in offered credit/medical monitoring |
| High | Place fraud alerts with credit bureaus |
| High | Monitor Explanation of Benefits for unknown claims |
| Medium | Consider credit freeze |
For healthcare organizations
| Priority | Action |
|---|
| Critical | Segment EMR systems from general IT |
| Critical | Implement network detection and response |
| High | Encrypt sensitive data at rest |
| High | Deploy data loss prevention tools |
| Medium | Conduct regular penetration testing |
For patients generally
| Priority | Action |
|---|
| High | Review all Explanation of Benefits statements |
| High | Question unfamiliar medical charges |
| Medium | Request annual medical record audit |
| Medium | Use patient portals to monitor records |
Context
The Yale New Haven Health breach exemplifies the healthcare sector’s ongoing cybersecurity crisis. With 5.56 million patients affected, it represents the largest healthcare data breach of 2025—in a year that saw healthcare records breached at an unprecedented rate.
The exposure of Social Security numbers alongside medical record numbers creates a particularly dangerous combination. Medical identity theft can result in incorrect information entering health records, potentially affecting treatment decisions. Victims may also face fraudulent insurance claims that exhaust their benefits or create collection actions for services never received.
The $18 million settlement, while substantial, averages to approximately $3.23 per affected individual—illustrating the gap between breach costs to organizations and remediation value to victims. Class action settlements rarely make breach victims whole; they primarily cover monitoring services and documented losses.
For the healthcare industry, this breach reinforces the critical importance of network segmentation. YNHHS’s statement that the EMR system was not accessed suggests some segmentation was in place, limiting damage. However, the non-EMR systems still contained extensive patient information that should have been better protected.
Healthcare organizations must recognize they are high-value targets. Patient data commands premium prices on dark web markets because it enables multiple fraud types: identity theft, insurance fraud, and prescription fraud. The sector’s combination of sensitive data, legacy systems, and operational criticality makes it an attractive target for both criminal and state-sponsored actors.
Patients affected by healthcare breaches should remain vigilant for years. Unlike credit card numbers that can be changed, Social Security numbers and medical record numbers persist. Monitoring for medical identity theft—reviewing Explanation of Benefits statements and requesting periodic medical record audits—should become routine practice.
