Yale New Haven Health Data Breach: 5.5 Million Patients Affected

TL;DR

Yale New Haven Health (YNHHS) experienced a data breach affecting 5.5 million patients. The breach exposed personal information including full names, dates of birth, and social security numbers. No financial information or medical records were compromised.

Yale New Haven Health Data Breach: 5.5 Million Patients Affected

Yale New Haven Health (YNHHS) recently announced a significant data breach that compromised the personal information of approximately 5.5 million patients. The cyberattack, which occurred in early March 2025, targeted one of the largest healthcare systems in Connecticut.

About Yale New Haven Health

YNHHS is a nonprofit healthcare network based in New Haven, Connecticut. It operates over 360 locations across Connecticut, southeastern New York, and Rhode Island, managing more than 2,400 beds and employing around 30,000 healthcare professionals. The network has an annual revenue exceeding $5.6 billion¹.

Details of the Cyberattack

On March 11, 2025, YNHHS detected unusual activity in its IT systems, prompting an immediate response. With the assistance of cybersecurity firm Mandiant, the issue was quickly contained. Although patient care and medical records were not affected, some internet and app access issues persisted during the recovery efforts².

Compromised Data

The data breach, disclosed on April 11, 2025, involved the theft of sensitive patient information. The compromised data varied by patient and included:

• Full name
• Date of birth
• Home address
• Telephone number
• Email address
• Race/ethnicity
• Social Security number (SSN)
• Patient type
• Medical record number

Notably, financial information, medical records, and treatment details were not exposed³.

Official Statement

YNHHS released a Notice of Data Security Incident stating:

On March 8, 2025, we identified unusual activity affecting our Information Technology (IT) systems. We immediately took steps to contain the incident and began an investigation, which included assistance from external cybersecurity experts. We also reported the incident to law enforcement. The investigation determined that an unauthorized third-party gained access to our network and, on March 8, 2025, obtained copies of certain data. At no point did this incident impact our ability to provide patient care.

Patient Notifications and Support

Starting April 14, 2025, YNHHS began mailing letters to affected patients. While there have been no reports of data misuse, the organization is offering free credit monitoring to patients whose Social Security numbers were involved. A dedicated call center has been set up at 1-855-549-2678 for any questions or concerns⁴.

Impact and Response

According to the U.S. Department of Health and Human Services breach portal, the incident affected 5,556,702 individuals⁵. YNHHS has not disclosed technical details about the attack, and no ransomware group has claimed responsibility.

Additional Resources

For further insights, check:

• YNHHS Statement on IT Services
• Security Affairs Article

---

Conclusion

The Yale New Haven Health data breach underscores the critical need for robust cybersecurity measures in healthcare. As one of the largest data breaches in the sector, it serves as a reminder for organizations to prioritize data protection and incident response strategies.

References

1. Yale New Haven Health (2025). “About YNHHS”. Retrieved 2025-04-24. ↩︎

2. Yale New Haven Health (2025). “Statement Addressing IT Services”. Retrieved 2025-04-24. ↩︎

3. Yale New Haven Health (2025). “Notice of Data Security Incident”. Retrieved 2025-04-24. ↩︎

4. Yale New Haven Health (2025). “Patient Notification Letter”. Retrieved 2025-04-24. ↩︎

5. U.S. Department of Health and Human Services (2025). “Breach Portal”. Retrieved 2025-04-24. ↩︎