A major data breach has compromised the personal information of 5.5 million patients
Yale New Haven Health (YNHHS), which runs five hospitals in Connecticut, disclosed that hackers managed to access sensitive data such as names, Social Security numbers, patient type, and medical record numbers.
The breach occurred on March 8, when YNHHS first detected unusual activity within its IT systems.
However, it was not until April 11 that the organization confirmed patient data had indeed been stolen.
YNHHS clarified that electronic medical records and treatment details were not compromised, and no financial account or payment information was included in the security breach.
The healthcare provider initiated the process of sending letters to affected patients on April 14, assuring them that there is no indication of any patient data being misused for identity theft or fraudulent activities.
The US Department of Health and Human Services breach portal confirmed that the data breach impacted 5,556,702 patients.
That makes it the largest healthcare breach reported to federal regulators so far in 2025.
Yale New Haven Health (YNHHS), which operates five hospitals in Connecticut , reported hackers accessed sensitive information like name, Social Security number, patient type and medical record number
YNHHS publicly reported the suspicious activity on March 11, noting that it did not impact patient care, and opened an investigation.
‘Our investigation has now determined that an unauthorized third-party gained access to our network and, on March 8, 2025, obtained copies of certain data,’ the healthcare system shared on April 11.
‘The information involved varies by patient, but may include demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number.’
While YNHHS said payment information was not access, it has urged patients to ‘review statements they receive from their healthcare providers and immediately report any inaccuracies to the provider.’
‘We have begun the process of mailing letters to patients whose information was involved in this incident and providing appropriate resources, including offering complimentary credit monitoring and identity protection services to individuals whose Social Security number was involved,’ YNHHS said.
While this is the largest healthcare system breach this year, an attack on UnitedHealth Group last year was the biggest in history.
Change Healthcare, owned by UnitedHealth Group, fell victim to a cyberattack in February, but revealed in October that 100 million people had been impacted.
That surpassed the previous record holder for worst breach of US patient data: a 2015 episode at Anthem Inc. that compromised 78.8 million individuals.
Another healthcare attack was reported this past February, which saw more than one million Americans’ medical records stolen.
Community Health Center (CHC), based in Connecticut, reported it ‘found that a skilled criminal hacker got into our system and took some data, which might include your personal information.’
The data may have included the patient’s name, date of birth, address, phone number, email, diagnoses, treatment details, test results, Social Security number, and health insurance information.
The breach, which occurred on October 14, 2024, impacted current and former patients, ‘and all individuals who received a COVID test or vaccine at a CHC clinic.’
CHC determined the hacker infiltrated ‘its inadequately secured computer environment,’ gaining access to its data files.
The company said it ‘added special software to watch for suspicious activity.’
The law firm investigating claims on behalf of patients said: ‘These individuals’ personal and highly sensitive information may be in the hands of cybercriminals who can place the information for sale on the dark web or use the information to perpetrate identity theft.’
Murphy Law Firm is currently investigating the breach to determine if a class action lawsuit can be filed against CHC.
