Pierluigi Paganini April 24, 2025

Yale New Haven Health (YNHHS) announced that threat actors stole the personal data of 5.5 million patients in a cyberattack.

Yale New Haven Health (YNHHS) disclosed a data breach that exposed personal information of 5.5 million patients following a cyberattack that occurred earlier this month.

Yale New Haven Health System (YNHHS) is a nonprofit healthcare network headquartered in New Haven, Connecticut. It stands as the largest healthcare system in the state, encompassing a comprehensive array of medical services and facilities.​

The system operates more than 360 locations across Connecticut, southeastern New York, and Rhode Island, managing over 2,400 beds and employing a vast network of healthcare professionals. The healthcare network employs about 30,000 health professionals and has an annual revenue of over $5.6 billion.

On March 11, 2025, YNHHS faced a cybersecurity incident affecting IT services. The issue was quickly contained with help from cybersecurity firm Mandiant. The company declared that patient care and medical records remain unaffected, though some internet and app access issues persist as part of recovery efforts. The organization also notified authorities.

YNHHS disclosed the data breach on April 11, 2025, it added that threat actors stole sensitive patient information. The stolen data varies by patient and includes the following info:

• Full name
• Date of birth
• Home address
• Telephone number
• Email address
• Race/ethnicity
• Social Security number (SSN)
• Patient type
• Medical record number

It was clarified that the exposure did not include financial information, medical records, or treatment details.

“On March 8, 2025, we identified unusual activity affecting our Information Technology (IT) systems. We immediately took steps to contain the incident and began an investigation, which included assistance from external cybersecurity experts. We also reported the incident to law enforcement. The investigation determined that an unauthorized third-party gained access to our network and, on March 8, 2025, obtained copies of certain data.” reads the Notice of Data Security Incident published by the YNHHS. “At no point did this incident impact our ability to provide patient care.”

Starting April 14, YNHHS is mailing letters to patients affected by a data breach. While no misuse of data has been reported, free credit monitoring is offered to those whose Social Security numbers were involved. The organizations set up a dedicated call center at 1-855-549-2678 for questions.

According to the U.S. Department of Health and Human Services breach portal, the incident impacted 5,556,702 individuals.

The organization did not disclose technical details about the attack, however, at this time, no ransomware group has taken responsibility for the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Yale New Haven Health)