Yale New Haven Health System Reports Data Breach Affecting 5.5 Million Patients

Connecticut-based healthcare provider Yale New Haven Health System has reported a data breach that affected more than 5.5 million patients, according to a report posted by the U.S. Department of Health and Human Services Office for Civil Rights.

The data breach involved a "hacking/IT incident" affecting its network server, resulting in unauthorized access to certain patient data. In a notice posted on its website, Yale New Haven Health System confirmed that it identified unusual activity affecting its IT systems on March 8, and took immediate action to contain the incident and begin an investigation.

The investigation revealed that an unauthorized third-party gained access to the network on March 8, 2025, obtaining copies of certain data. The affected patient data includes name, date of birth, address, telephone number, email address, race or ethnicity, Social Security number, patient type, and/or medical record number.

However, it's worth noting that the unauthorized third-party did not gain access to electronic medical records, treatment information, financial account information, or payment information. As a precautionary measure, Yale New Haven Health System is offering complimentary credit monitoring and identity protection services to individuals whose Social Security number was involved in the breach.

The FBI's Internet Crime Complaint Center (IC3) has reported a significant rise in ransomware complaints over the past year, with nearly half of these complaints involving critical infrastructure organizations like hospitals. This incident highlights the growing threat of data breaches in the healthcare sector.

The breach is not an isolated incident, as several high-profile cybersecurity incidents have been reported recently. The Office of the Comptroller of the Currency (OCC) notified Congress of a "major security incident" involving unauthorized access to OCC emails and email attachments. Online food delivery marketplace Grubhub also identified an incident involving a third-party contractor, which resulted in unauthorized access to certain user contact information.

Additionally, the ransomware attack on UnitedHealth's Change Healthcare business in 2024 impacted around 190 million people, making it the biggest medical-related data breach in U.S. history. The rising threat of cyber attacks underscores the need for robust cybersecurity measures and awareness among healthcare organizations and individuals alike.

The incident is a reminder that data breaches can have far-reaching consequences, affecting not only individual patients but also entire communities. As the healthcare sector continues to evolve, it's essential to prioritize patient safety and security.