Yale New Haven Health Services Corp. experienced a **data breach** discovered on **March 8, 2025**, where a **criminal third party gained unauthorized access** to its systems, exposing **personal and protected health information (PHI)** of up to **5.3 million individuals**. Compromised data included **names, addresses, Social Security numbers, dates of birth, medical record numbers, and other sensitive details**. The breach led to a **$18 million class-action settlement**, offering affected individuals **up to $5,000 in documented losses** or **$100 in alternate cash payments**, along with **two years of free medical data monitoring**. The lawsuit alleged **failure to adequately protect patient data**, though the company denied wrongdoing. The settlement also mandates **enhanced cybersecurity measures** to prevent future incidents. The breach’s scale and exposure of **highly sensitive health and financial data** pose severe risks, including **identity theft, fraud, and long-term reputational damage** to the organization. The financial and operational impact extends beyond direct costs, affecting **trust in healthcare data security** and potentially leading to regulatory scrutiny.
Source: https://www.claimdepot.com/settlements/yale-new-haven-settlement
Yale New Haven Health cybersecurity rating report: https://www.rankiteo.com/company/yale-new-haven-health-system
"id": "YAL3610436112725",
"linkid": "yale-new-haven-health-system",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5.3 million individuals',
'industry': 'Healthcare',
'location': 'New Haven, Connecticut, USA',
'name': 'Yale New Haven Health Services Corp.',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized access to systems by a criminal third party',
'customer_advisories': 'Eligible individuals can submit claims for cash '
'payments (up to $5,000 for documented losses or $100 '
'alternate payment) or medical data monitoring (2 '
'years). Deadline to file a claim: February 18, 2026.',
'data_breach': {'data_exfiltration': 'Yes (unauthorized access to systems)',
'number_of_records_exposed': '5,300,000',
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of birth',
'Telephone numbers',
'Email addresses',
'Race or ethnicity',
'Social Security '
'numbers',
'Patient types',
'Medical record '
'numbers'],
'sensitivity_of_data': 'High (includes SSNs, medical record '
'numbers, and PHI)',
'type_of_data_compromised': ['Personal information',
'Protected health information '
'(PHI)']},
'date_detected': '2025-03-08',
'description': 'Yale New Haven Health Services Corp. agreed to pay '
'$18,000,000 to settle a class action lawsuit claiming the '
'company failed to adequately protect personal and protected '
'health information, which was exposed during a data breach '
'involving unauthorized access to certain systems. The breach '
'affected as many as 5.3 million individuals, with compromised '
'data including names, addresses, dates of birth, telephone '
'numbers, email addresses, race or ethnicity, Social Security '
'numbers, patient types, and medical record numbers. Current '
'and former patients may be eligible for claims of up to '
'$5,000 or alternate cash payments, along with medical data '
'monitoring.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'breach and settlement',
'data_compromised': ['Names',
'Addresses',
'Dates of birth',
'Telephone numbers',
'Email addresses',
'Race or ethnicity',
'Social Security numbers',
'Patient types',
'Medical record numbers'],
'financial_loss': '$18,000,000 (settlement fund)',
'identity_theft_risk': 'High (due to exposure of SSNs and personal '
'data)',
'legal_liabilities': "$18,000,000 settlement, attorneys' fees up "
'to $6,000,000, and service awards up to '
'$2,500 each for class representatives',
'systems_affected': 'Certain systems of Yale New Haven Health '
'Services Corp.'},
'investigation_status': 'Settled (final approval hearing on March 3, 2026)',
'post_incident_analysis': {'corrective_actions': 'Enhanced information '
'security measures (as part '
'of settlement agreement)',
'root_causes': 'Failure to adequately protect '
'personal and protected health '
'information'},
'references': [{'source': 'Class action settlement notice'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
'$18,000,000'},
'response': {'communication_strategy': 'Settlement notices sent to affected '
'individuals, claim submission process '
'established',
'remediation_measures': 'Enhanced information security measures '
'(as part of settlement agreement)'},
'stakeholder_advisories': 'Settlement notices sent to affected individuals '
'with claim submission instructions',
'threat_actor': 'Criminal third party',
'title': 'Yale New Haven Health $18M Data Breach Settlement',
'type': 'Data Breach'}