Yale New Haven Health Breach Exposes Data of 5.5 Mn Patients

Connecticut-based Yale New Haven Health System (YNHHS) has confirmed that over 5.5 million individuals were affected by a cyberattack in March, marking the largest health data breach reported to the U.S. Department of Health and Human Services so far in 2025.

The organization, which operates eight hospitals and other care facilities across the state, said the breach involved personal information such as names, birth dates, addresses, contact details, race or ethnicity, Social Security numbers, patient types, and medical record numbers.

However, electronic medical records and financial data were not affected.

"Most applications, including Epic. were not affected and remained fully functioning throughout the incident. We did, initially, face periodic connectivity issues with our internet and phone systems, but that connectivity was restored," a YNHHS spokesperson told Information Security Media Group (ISMG).

The breach was identified on March 8, after YNHHS detected “unusual activity” within its IT systems. The organization immediately contained the incident and launched an investigation with help from external cybersecurity experts. Law enforcement agencies were also notified.

Cybersecurity Response and Legal Repercussions

YNHHS stated, “While our extensive cybersecurity protocols allowed us to quickly detect and take action to mitigate this incident and minimize impacts on patient care, we are continually reviewing and updating our systems to protect the data we maintain.”

The investigation revealed that an unauthorized third party had accessed the network and obtained data copies on March 8. “At no point did this incident impact our ability to provide patient care,” the system clarified in its breach notification.

Affected individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity protection services. YNHHS said it is not aware of any misuse of patient data for identity theft or fraud at this time.

When asked whether the breach involved ransomware or if a ransom was paid, the YNHHS spokesperson said, “We are cooperating with law enforcement and cannot comment on certain details, given the ongoing investigation. I can share that it seems that this was a sophisticated attack likely executed by an individual or group that has a pattern of these types of incidents.”

At least five proposed federal class-action lawsuits have already been filed against YNHHS, alleging negligence in safeguarding personal and protected health information. The organization has declined to comment on ongoing litigation.

Other Recent Healthcare Breaches

The U.S. HHS breach reporting website also added incidents from Onsite Women’s Health, affecting 357,265 individuals, and Bell Ambulance in Wisconsin, which reported exposure of data from 114,000 individuals.