In March, YNHHS experienced a cybersecurity breach where an unauthorized third party accessed patients’ sensitive data, including demographic information, Social Security numbers, patient types, and medical record numbers. While the breach did not compromise electronic medical records, treatment data, or financial accounts, it exposed personally identifiable information (PII) of patients, leading to a class-action lawsuit. YNHHS agreed to an $18 million settlement fund, with $6 million allocated to attorney fees and $12 million for affected individuals offering reimbursements up to $5,000 for documented losses or a flat $100 payment. The breach prompted allegations of inadequate security measures and delayed patient notifications. Despite denying liability, YNHHS committed to enhancing cybersecurity protocols to prevent future incidents. The settlement also includes injunctive relief mandating improved data security practices. The breach impacted thousands of patients, risking identity theft and reputational harm to the health system.
TPRM report: https://www.rankiteo.com/company/yale-new-haven-health-system
"id": "yal0932109103125",
"linkid": "yale-new-haven-health-system",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Bridgeport, Connecticut, USA',
'name': 'Yale New Haven Health System (YNHHS)',
'size': '12,000+ employees; 4,500 university/community '
'physicians',
'type': 'Healthcare System'}],
'customer_advisories': ['Reimbursement up to $5,000 for documented losses',
'Cash payment option (~$100)'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes (Social Security '
'numbers, medical '
'record numbers)',
'sensitivity_of_data': 'High (PII, including SSNs)',
'type_of_data_compromised': ['Demographic information',
'Social Security numbers',
'Patient type',
'Medical record numbers']},
'date_detected': '2023-03',
'date_publicly_disclosed': '2023-04-11',
'description': 'An unauthorized third party accessed patients’ information in '
'a cybersecurity breach at Yale New Haven Health System '
'(YNHHS). The breach exposed demographic data, Social Security '
'numbers, patient type, and medical record numbers, though '
'electronic medical records and financial/payment information '
'were not compromised. YNHHS agreed to an $18 million '
'settlement fund, including $6 million for attorney fees and '
'$2,500 service awards for class representatives. Affected '
'individuals may claim up to $5,000 for documented losses or a '
'$100 cash payment. The settlement also mandates enhanced data '
'security measures. YNHHS denied liability but settled to '
'avoid prolonged litigation.',
'impact': {'brand_reputation_impact': 'Negative (lawsuit, public disclosure '
'of breach)',
'customer_complaints': 'Class action lawsuit filed (2023-04-16)',
'data_compromised': ['Demographic information',
'Social Security numbers',
'Patient type',
'Medical record numbers'],
'financial_loss': '$18 million (settlement fund, including $6 '
'million for attorney fees)',
'identity_theft_risk': 'High (Social Security numbers exposed)',
'legal_liabilities': '$18 million settlement (preliminary approval '
'2024, final hearing scheduled for '
'2026-03-03)',
'operational_impact': 'None (uninterrupted patient care '
'maintained)',
'payment_information_risk': 'None (no financial/payment data '
'accessed)'},
'initial_access_broker': {'high_value_targets': ['Patient demographic data',
'Social Security numbers']},
'investigation_status': 'Ongoing (settlement pending final approval on '
'2026-03-03)',
'lessons_learned': 'Importance of timely patient notification and adherence '
'to industry-standard data security protocols to prevent '
'and detect cyberattacks.',
'post_incident_analysis': {'corrective_actions': ['$18 million settlement '
'fund',
'Enhanced data security '
'measures (as part of '
'injunctive relief)',
'Continuous system updates '
'to prevent future '
'breaches'],
'root_causes': ['Alleged failure to implement '
'industry-standard data security '
'protocols (per lawsuit)',
'Delayed patient notification (per '
'lawsuit)']},
'recommendations': ['Enhance cybersecurity protocols beyond industry best '
'practices',
'Implement faster breach notification processes',
'Regularly update and audit data security measures'],
'references': [{'source': 'Yale Daily News'},
{'source': 'YNHHS Public Statement (2023-04-11)'},
{'source': 'Class Action Lawsuit Settlement (filed '
'2024-09-10)'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit (filed '
'2023-04-16)',
'Settlement agreement '
'(preliminary approval '
'2024-09-10)']},
'response': {'communication_strategy': ['Public statement (2023-04-11)',
'Detailed explanation (2023-04-11)',
'Settlement announcement '
'(2024-09-10)'],
'containment_measures': 'Unspecified (successful containment per '
'YNHHS statement)',
'enhanced_monitoring': 'Committed to strengthening data security '
'measures post-breach',
'incident_response_plan_activated': 'Yes (quick identification '
'and containment)'},
'stakeholder_advisories': 'Settlement notices sent to affected patients; '
'claim filing deadline: 2026-01-19',
'threat_actor': 'Unauthorized third party',
'title': 'Yale New Haven Health System Data Breach (March 2023)',
'type': ['Data Breach', 'Unauthorized Access']}