Yale New Haven Health (YNHHS) is warning that threat actors stole the personal data of 5.5 million patients in a cyberattack earlier this month.
YNHHS is a nonprofit healthcare network in Connecticut, the largest in the state, providing comprehensive care across five hospitals and 360 outpatient locations. It employs 30,000 health professionals and has an annual revenue of over $5.6 billion.
On March 11, 2025, the organization first reported that it was dealing with a cybersecurity incident that occurred three days earlier. This incident caused IT system disruptions but did not impact patient care.
Yale New Haven Health hired Mandiant to help with system restoration and forensic investigation while federal authorities were notified about the incident.
On April 11, 2025, YNHHS informed the public that its investigation into the incident confirmed a data breach that may have exposed sensitive patient information to unauthorized actors.
The stolen information varies by patient and includes the following:
- Full name
- Date of birth
- Home address
- Telephone number
- Email address
- Race/ethnicity
- Social Security number (SSN)
- Patient type
- Medical record number
It was clarified that the exposure did not include financial information, medical records, or treatment details.
Starting on April 14, 2025, YNHHS mailed letters to patients confirmed to have been impacted by the incident, enclosing instructions on enrolling in complimentary credit monitoring and identity protection services for those with their SSN exposed.
A new entry on the U.S. Department of Health and Human Services breach portal confirmed that the data breach impacted 5,556,702 patients.
Given the extent of the impact, class action lawsuits are already being prepared by law firms representing impacted individuals seeking reimbursement for the exposure of their sensitive information.
At the time of writing, no ransomware groups have taken responsibility for the attack at Yale New Haven Health, so the attackers remain unknown.