Yale New Haven Health Breach Hits Over 5.5 Million Patients

Yale New Haven Health, the largest health system in Connecticut, confirmed a data breach that affected over 5.5 million individuals, according to a mandatory notification filed with the US Department of Health and Human Services (HHS).

"The sophistication of the attack leads us to believe it was executed by an individual or group with a prior pattern of these types of incidents," says Dana Marnane, Spokeswoman, Yale New Haven Health, to TechCrunch. 

The intrusion, detected in March 2025, allowed malicious actors to obtain copies of personally identifiable information (PII) and certain patient medical data. According to a notification posted on Yale New Haven Health's website, the compromised data varies by individual, but may include full name, date of birth, physical and email addresses, phone number, race, ethnicity, Social Security number, patient type, and medical record number.

So far, the institution has not confirmed whether it has had contact with the attackers or whether any request for payment was received. Also, no ransomware group has publicly claimed responsibility for the incident. In this type of attack, it is common for the groups responsible to publish the stolen information if a financial settlement is not reached with the victim.

The incident is part of a growing series of cyberattacks targeting the US healthcare sector. According to the HHS Office for Civil Rights (OCR), providers accounted for 64.74% of all healthcare data breach notifications in 2023. The sensitivity of medical information, combined with cybersecurity deficiencies, makes healthcare institutions frequent targets for ransomware and data extortion groups.

Yale New Haven Health, which operates multiple hospitals and medical centers in the region, activated its incident response protocols after identifying the breach and notified federal authorities under the Health Insurance Portability and Accountability Act (HIPAA). It has also begun contacting affected patients directly.

The exact number of people compromised could change as the investigation progresses. The system's spokeswoman told local media that this number "may change" as more records are processed and new affected individuals are identified.

This case comes on top of the Blue Shield of California case, which recently revealed that it had shared data on 4.7 million patients with Google over several years, raising additional concerns about the handling and safeguarding of data in the healthcare sector. Taken together, both incidents underscore the urgency of strengthening data protection standards in an environment where digital threats continue to rise.

Yale New Haven Health is expected to implement enhancements to its security systems as part of its effort to mitigate the impact of the attack and prevent future intrusions.