A major data breach has compromised the personal information of 5.5 million patients 

Yale New Haven Health (YNHHS) disclosed that hackers gained unauthorized access to sensitive details such as name, Social Security number, patient type, and medical record number.

The system operates more than 360 locations across Connecticut, New York and Rhode Island.

The breach occurred on March 8, when YNHHS first detected unusual activity within its IT systems. 

However, it was not until April 11 that the organization confirmed patient data had indeed been stolen. 

According to YNHHS, the breach did not compromise electronic medical records or treatment information, and no financial account or payment details were exposed.

The healthcare provider initiated the process of notifying affected individuals via mail starting on April 14. The letters mentioned that there is no indication of any patient data being exploited for identity theft or fraudulent activities.

The US Department of Health and Human Services breach portal confirmed that the data breach impacted 5,556,702 patients. 

That makes it the largest healthcare breach reported to federal regulators so far in 2025.

Yale New Haven Health (YNHHS), which operates five hospitals in Connecticut , reported hackers accessed sensitive information like name, Social Security number, patient type and medical record number 

YNHHS, a nonprofit healthcare system headquartered in New Haven, is the result of Yale School of Medicine and New Haven Hospital joining forces in 1913.

It is the largest healthcare system in Connecticut and includes hospitals, physicians, and related health services throughout the state, as well as in parts of New York and Rhode Island. 

YNHHS publicly reported the suspicious activity on March 11, noting that it did not impact patient care, and opened an investigation.

‘Our investigation has now determined that an unauthorized third-party gained access to our network and, on March 8, 2025, obtained copies of certain data,’ the healthcare system shared on April 11.

‘The information involved varies by patient, but may include demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number.’

While YNHHS said payment information was not access, it has urged patients to ‘review statements they receive from their healthcare providers and immediately report any inaccuracies to the provider.’

‘We have begun the process of mailing letters to patients whose information was involved in this incident and providing appropriate resources, including offering complimentary credit monitoring and identity protection services to individuals whose Social Security number was involved,’ YNHHS said.

While this is the largest healthcare system breach this year, an attack on UnitedHealth Group last year was the biggest in history.

The system operates more than 360 locations across Connecticut, New York and Rhode Island

Change Healthcare, owned by UnitedHealth Group, fell victim to a cyberattack in February, but revealed in October that 100 million people had been impacted.

That surpassed the previous record holder for worst breach of US patient data: a 2015 episode at Anthem Inc. that compromised 78.8 million individuals.

Another healthcare attack was reported this past February, which saw more than one million Americans’ medical records stolen.

Community Health Center (CHC), based in Connecticut, reported it ‘found that a skilled criminal hacker got into our system and took some data, which might include your personal information.’

The data may have included the patient’s name, date of birth, address, phone number, email, diagnoses, treatment details, test results, Social Security number, and health insurance information.

The breach, which occurred on October 14, 2024, impacted current and former patients, ‘and all individuals who received a COVID test or vaccine at a CHC clinic.’

CHC determined the hacker infiltrated ‘its inadequately secured computer environment,’ gaining access to its data files.

The company said it ‘added special software to watch for suspicious activity.’

The law firm investigating claims on behalf of patients said: ‘These individuals’ personal and highly sensitive information may be in the hands of cybercriminals who can place the information for sale on the dark web or use the information to perpetrate identity theft.’

Murphy Law Firm is currently investigating the breach to determine if a class action lawsuit can be filed against CHC.