
Yale New Haven Health (YNHHS) has announced a cyberattack resulting in the theft of personal data from 5.5 million patients. According to reporting by BleepingComputer the breach, initially reported on 11 March 2025, occurred three days earlier, leading to IT system disruptions but leaving patient care unaffected. YNHHS, a nonprofit healthcare system headquartered in New Haven, Connecticut, operates five hospitals and 360 outpatient facilities, with a workforce of 30,000 and annual revenues exceeding $5.6bn.
YNHHS has enlisted Mandiant to assist with system recovery and forensic analysis and has notified federal authorities of the incident. On 11 April 2025, the organisation confirmed that the breach potentially exposed sensitive patient data to unauthorised individuals.
Sensitive patient data exposed, financial and medical records unaffected
The compromised data includes names, birth dates, addresses, phone numbers, email addresses, race/ethnicity, Social Security numbers (SSN), patient types, and medical record numbers. Financial information, medical records, and treatment details were not compromised.
Beginning 14 April 2025, YNHHS started sending letters to affected patients, providing details on enrolling in complimentary credit monitoring and identity protection services for those whose SSN was exposed.
“We have begun the process of mailing letters to patients whose information was involved in this incident and providing appropriate resources, including offering complimentary credit monitoring and identity protection services to individuals whose Social Security number was involved,” said YNHHS.
“Patients are also encouraged to review statements they receive from their healthcare providers and immediately report any inaccuracies to the provider. We take our responsibility to safeguard patient information incredibly seriously, and we regret any concern this incident may have caused. We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future.”
The breach, recorded on the US Department of Health and Human Services breach portal, confirmed the impact on 5,556,702 patients. Law firms are preparing class action lawsuits for affected individuals seeking compensation for the data exposure.
Currently, no ransomware groups have claimed responsibility for the attack, leaving the identity of the attackers unknown. This event follows a similar data breach by Laboratory Services Cooperative (LSC), affecting 1.6 million individuals in October 2024. The Seattle-based nonprofit provides centralised laboratory services to member affiliates, including some Planned Parenthood centres, and reported unauthorised access to its systems.
A report from the Cybernews Business Digital Index in February 2025 reveals ongoing cybersecurity risks for major corporations, with 96% of S&P 500 companies experiencing data breaches. The report identifies vulnerabilities in encryption, software patching, and system hosting, with the Manufacturing, Finance and Insurance, and Healthcare and Pharmaceuticals sectors being the most impacted.