Yale New Haven Health System reported a data security incident that impacted over 5.5 million people. The data breach report submitted the HHS’ Office for Civil Rights shows that the protected health information (PHI) of approximately 5,556,702 people were compromised during the incident. This is the biggest healthcare data breach report posted this year. Last year, Blue Shield of California reported a 4.7 million-record data breach.
Nonprofit health system, Yale New Haven Health based in New Haven, Connecticut, manages a medical foundation, five acute-care hospitals, and several outpatient facilities and multispecialty centers in Connecticut, Rhode Island, and New York. On March 8, 2025, Yale New Haven Health discovered anomalous activity in its IT systems. It took quick action to secure the incident. The health system started an investigation to evaluate the nature and extent of the unauthorized activity. Yale New Haven Health posted a notice about the security incident on its website 3 days after discovery.
The cybersecurity company Mandiant assisted Yale New Haven Health with the investigation and stated the quick response helped to contain and avoid disruption to patient care services. Yale New Haven Health stated that an unauthorized third party acquired access to its system on March 8, 2025, and stole files, some with patient data. The incident did not affect its electronic medical record system, and financial database. The types of information stolen during the cyberattack differed from person to person and might have involved names along with at least one of the following data: address, phone number, email address, birth date, race/ethnicity, medical record number, patient type, and/or Social Security number.
Yale New Haven Health stated it is updating and enhancing its systems to secure sensitive information. It started mailing personal notification letters to the impacted persons on April 14, 2025. It offered free credit monitoring and identity theft protection services to people who had their Social Security numbers exposed.
Although there will be questions concerning the way the hackers accessed patient data, Yale New Haven Health is commended for its quick response, transparency, and immediate breach notifications that were sent beginning April 14, 2025.