Yale New Haven Health System reports data breach affecting over 5.5 million patients

Yale New Haven Health System (YNHHS), one of Connecticut’s largest healthcare providers, has confirmed a significant data breach that may have exposed the personal information of more than 5.5 million patients. The breach, publicly disclosed on April 11, 2025, follows the detection of suspicious activity within its IT systems on March 8.

While the organization emphasized that patient care services remained unaffected during the incident, a subsequent investigation revealed that threat actors managed to exfiltrate data from the system on the same day the intrusion was identified.

The compromised data includes sensitive personal information that varies across affected individuals. Exposed data may consist of names, dates of birth, mailing addresses, phone numbers, email addresses, race or ethnicity, Social Security numbers, and medical record numbers. Importantly, YNHHS clarified that its core electronic medical record system was not accessed during the breach, and no financial account data, payment information, or employee human resources records were involved.

Despite the severity of the incident, the source and intent of the attack remain unclear. While some cybersecurity experts suspect a ransomware attack, no cybercriminal group has publicly claimed responsibility. In the absence of any data being leaked on known ransomware forums, speculation has emerged that a ransom may have been paid to prevent public disclosure of the stolen information. However, YNHHS has not confirmed or denied this possibility, and inquiries to the organization have yet to receive a response.

The breach has been listed on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights breach portal, which tracks healthcare data incidents across the country. With more than 5.5 million individuals potentially affected, it ranks among the largest healthcare-related data breaches in recent memory.

This incident adds to a growing list of cybersecurity challenges facing the U.S. healthcare sector. According to HHS data, over 700 healthcare data breaches were reported in 2024 alone, compromising the records of more than 180 million individuals. These incidents often involve ransomware and the exploitation of third-party vendors or outdated IT infrastructure.