Yale New Haven Health: 5.5 million patient records exposed

When cybercriminals targeted a major health system earlier this year, the scale of the breach sent shockwaves through the industry. Nearly 5.5 million individuals were affected, putting this incident among the largest healthcare data breaches of 2025. Despite the ongoing attack, clinics and hospitals kept running and electronic medical records stayed safe. But behind the scenes, investigators discovered that threat actors had copied a massive discovery of patient information, exposing just how vulnerable even well-defended organizations can be.

What happened

Yale New Haven Health identified unusual activity affecting its IT systems on March 8, 2025, and immediately contained the incident. The health system launched an investigation with external cybersecurity firm, notified law enforcement, and publicly disclosed the incident three days after detection. On April 11, 2025, Yale New Haven Health began notifying patients that an unauthorized third party had gained access to its network and copied certain files. The federal breach portal lists 5,556,702 impacted individuals, making this the largest healthcare data breach reported in 2025, surpassing Community Health Center's 1 million records breach from earlier this year.

What data was exposed

The information varies by individual and may include full name, date of birth, home address, telephone number, email address, race or ethnicity, patient type, medical record number, and Social Security number. Yale New Haven Health confirmed that its electronic medical record system was not accessed during the incident, and no financial account, payment information, or employee HR data was compromised. Patient notification letters began mailing on April 14, 2025, with complimentary credit monitoring and identity protection services offered to individuals whose Social Security numbers were involved.

Why leaders should care

Data exfiltration incidents without system disruption shift the primary risk from operational downtime to privacy violations and compliance exposure. These breaches create mandatory regulatory notifications, trigger class action litigation, increase fraud risk for affected individuals, and erode long-term stakeholder trust. Within weeks of the disclosure, multiple class action lawsuits were filed against Yale New Haven Health alleging inadequate safeguards. The combination of regulatory penalties, litigation costs, credit monitoring services for millions of patients, and reputational damage demonstrates how "quiet" breaches can generate business-defining financial impact.

How attacks like this unfold

Adversaries establish initial access to target networks, conduct reconnaissance to identify where high-value data resides, then systematically extract copies of sensitive information. This exfiltration-focused approach often occurs without deploying ransomware or disrupting clinical operations, allowing attackers to maintain persistence while avoiding immediate detection. Yale New Haven Health emphasized that patient care was never impacted, appointments continued, the patient portal remained operational, and clinical systems functioned normally. However, this operational continuity allowed the threat actor to copy files containing sensitive identifiers for 5.5 million individuals before detection and containment occurred.

What to do now

1. Review access controls and update credentials

   Organizations should regularly review who has access to systems storing patient identifiers and medical record numbers, and update credentials and tokens after any security incident. It is important to monitor for unusual activity and ensure that administrative systems do not provide easy routes to sensitive patient data.

2. Utilize available patient resources

   For those affected, Yale New Haven Health set up a dedicated information page and call center to help answer questions. Patients whose Social Security numbers were involved receive two years of free credit monitoring and identity theft protection. Clear and consistent updates help maintain trust during investigations.

3. Utilize available patient resources

   Documenting containment and remediation steps is essential for accountability. Communication with regulators and law enforcement should be prompt and thorough to demonstrate responsible management and ongoing risk reduction.

Pressing questions

• Did patient care stop during the incident?

  No. Yale New Haven Health confirmed that care delivery, its patient portal, and electronic medical records continued operating normally throughout the investigation and containment process. The focus on data exfiltration rather than system disruption allowed clinical operations to proceed without interruption.

• Was the EMR accessed in this breach?

  Yale New Haven Health reports that its electronic medical record system was not involved in the incident. Threat actors copied files containing patient identifiers, but treatment records, clinical notes, and detailed medical histories stored in the EMR were not accessed.

• How many people were affected?

  The breach notification filed with the Department of Health and Human Services lists 5,556,702 impacted individuals, making this the largest healthcare data breach reported in 2025.

• What information should be considered exposed?

  Data varied by individual but may include names, dates of birth, addresses, telephone numbers, email addresses, race or ethnicity, patient type, medical record numbers, and Social Security numbers. Financial information, payment details, and employee HR data were not involved.

Key takeaways

Breaches that maintain operational continuity can still generate significant financial, legal, and reputational consequences. Organizations need proactive offensive security testing to discover exploitable paths to sensitive data before adversaries do. Comprehensive penetration testing and red team engagements simulate the reconnaissance and exfiltration techniques that threat actors use in real-world attacks. These exercises identify which security controls effectively prevent unauthorized data access versus those that merely satisfy compliance requirements, enabling leadership to make risk-based decisions about security investments that demonstrably reduce breach probability.