Yale New Haven Health System (YNHHS), a major healthcare provider affiliated with Yale University, has disclosed a data breach impacting more than 5.5 million individuals. The breach, which involved unauthorized access to sensitive patient data, is one of the largest reported healthcare cybersecurity incidents this year.
Suspicious Activity Detected on March 8
On April 11, YNHHS confirmed that it had discovered unusual activity on its IT infrastructure on March 8. While patient care was not affected, a follow-up investigation revealed that the attackers copied data from the health system’s servers on the day of the breach.
The incident is currently under review, and YNHHS is working with law enforcement and cybersecurity experts to assess the full impact.
Sensitive Data Compromised but Medical Records Remain Untouched
According to YNHHS, the breach involved personal and demographic information. While the exact data exposed varies by individual, affected data types include:
- Full name
- Date of birth
- Home address
- Phone number and email address
- Race and ethnicity
- Social Security Number
- Medical record number
However, the organization stated that its electronic medical record (EMR) system was not accessed, and no financial account details, payment data, or employee HR records were involved in the breach.
No Known Group Has Claimed Responsibility
So far, no cybercrime group has taken credit for the breach. It remains unclear whether the incident was a ransomware attack, though it is a possibility. If it was, YNHHS may have chosen to pay a ransom to prevent public exposure of the stolen data, which could explain the silence from threat actors.
SecurityWeek reached out to YNHHS for further comment but had not received a response at the time of reporting.
Healthcare Sector Sees Ongoing Wave of Cybercrime
This incident adds to a growing list of major cyberattacks on the U.S. healthcare sector. Data from the Department of Health and Human Services (HHS) shows that over 700 healthcare data breaches were reported in the country last year, affecting more than 180 million patient records.
Healthcare organizations remain a top target for attackers due to the volume of sensitive personal and medical data they store.
