Yale New Haven Health data breach (2025)

In March 2025, Yale New Haven Health System — Connecticut's largest health system, anchored at the Yale-affiliated New Haven Hospital — disclosed a data breach that ultimately affected more than 5.5 million patients. It remained the largest U.S. healthcare data breach of 2025 by individuals affected.

What happened

On 8 March 2025, Yale New Haven Health detected suspicious network activity and engaged Mandiant to investigate and contain the incident. The health system issued a public statement on its website three days later, and on 11 April 2025 filed a breach notification with the HHS Office for Civil Rights citing 5,556,702 affected individuals.

Files stolen from the network included:

• Names, addresses, phone numbers, email addresses
• Dates of birth, race/ethnicity, patient type
• Medical record numbers
• Social Security numbers

Electronic medical records themselves, and financial information, were not compromised — but the combination of identity data with medical record numbers is sufficient to enable medical identity fraud.

Impact

• 5,556,702 patients affected — largest U.S. healthcare data breach of 2025.
• Class-action litigation filed within weeks.
• Yale New Haven Health agreed to an $18 million class-action settlement. Settlement class members may claim up to $5,000 for documented losses or an alternative ~$100 cash payment.
• No specific threat actor or extortion claim has been publicly attributed.

Why it matters

Yale New Haven did the right operational things — engaged Mandiant fast, disclosed within three days, and notified HHS within the required window. But the size of the affected population shows how concentrated U.S. healthcare data has become: a single regional health system held over five million people's identity data, much of which (Social Security numbers, dates of birth, medical record numbers) is immutable and will remain a fraud risk for decades.