Major data breach at healthcare giant Yale Health affects 5.5 million people - here's what we know

News
By published

No one has yet taken responsibility for the attack

healthcare
(Image credit: Shutterstock)
  • Yale New Haven Health suffered a cyberattack in early March 2025
  • A subsequent investigation showed the theft of sensitive data
  • More than five million people could have been affected

A recent cyberattack on Yale New Haven Health (YNHHS) may have resulted in the theft of sensitive data of more than five million people.

The non-profit healthcare network confirmed the news in a legal notice published on its website, where it said it had identified “unusual activity” on its IT systems on March 8, 2025.

The subsequent investigation, conducted with the assistance of a third-party forensics expert, showed that “copies of certain data” were stolen.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Class action lawsuits incoming

“At no point did this incident impact our ability to provide patient care,” YNHHS said.

The organization then detailed the information that was stolen: people’s names, birth dates, addresses, phone numbers, email addresses, race and ethnicity, Social Security numbers, patient type information, and/or medical record numbers.

Electronic medical records and treatment information were not stolen, the organization stressed, and added that the crooks did not steal financial account or payment information.

While the notice did not discuss the number of affected individuals, BleepingComputer found a new entry on the US Department of Health and Human Services breach portal, where it says that 5,556,702 patients are affected.

The publication says that given the extent of the impact, class-action lawsuits are “already being prepared” by law firms representing impacted individuals who will seek reimbursement.

At press time, no threat actors assumed responsibility for the attack, and the data is yet to surface on the dark web.

Generally speaking, organizations in the healthcare industry are an attractive target for cybercriminals, due to the sensitivity of the files they generate, and the fact that many are still running outdated and neglected hardware and software.

In mid-March 2025, for example, both Sunflower Medical Group and Community Care Alliance confirmed suffering a cyberattack and losing data on some 300,000 people.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.