The largest healthcare data breach of 2025 so far has led to an $18 million settlement, with Yale New Haven Health System (Yale New Haven) agreeing to pay to settle a federal class action lawsuit.

A hacking incident has affected 5.55 million patients across Connecticut, New York, and Rhode Island. Reports suggest that the hackers accessed and exfiltrated patient data files. Although the incident appears to involve ransomware, Yale New Haven has not confirmed it was ransomware nor released many details about what happened.

Yale New Haven is the second-largest employer in Connecticut, with 31,000 employees. It operates five hospitals and a primary care and specialist physician group practice.

There are 4,500 university and community physicians across 100 medical specialties who provide healthcare services at various locations throughout Connecticut, including Yale New Haven Hospital, a teaching hospital for Yale’s School of Medicine.

Yale New Haven Settles in Record Time

The entire process, from the initial incident through an investigation, several lawsuits, and the judge’s preliminary approval of a settlement, has taken just over seven months and happened in record time.

• On March 8, Yale New Haven identified a cybersecurity incident on its IT network.
  • The investigation showed that an unauthorized third party accessed the network and obtained copies of its patients’ protected health information (PHI).
• On March 11, Yale New Haven published its first announcement about the incident.
• On April 11, Yale New Haven published a more detailed security incident notice explaining what happened.
  • On the same day, Yale New Haven reported the breach to the U.S. Department of Health and Human Services (HHS).
• On April 16, a lawsuit was filed in Connecticut.
  • Eventually, 17 separate lawsuits were filed, and all were consolidated in federal district court.
• On August 11 the parties notified the judge of a proposed settlement.
• On October 21 the judge gave preliminary approval of the settlement.
  • A final approval court hearing is set for March 3, 2026.

Yale New Haven Explains

According to Yale New Haven, an “unauthorized party” gained access to its network and made copies “of certain data.”

The types of information compromised varied by patient but may have included demographic details (such as name, date of birth, address, phone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number.

Yale New Haven noted that the electronic medical record (EMR) system was neither involved nor accessed in this incident, and no financial accounts, payment information, or employee HR data were included.

The Allegations

The allegations resemble those in other healthcare data breach lawsuits where individuals’ private information is exposed.

The consolidated class action complaint accused Yale New Haven of negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and failure to protect sensitive patient data adequately.

Although not a HIPAA lawsuit per se (because HIPAA does not give a right to sue), the complaint references other laws and standards allegedly violated.

“This duty arises under contract, statutory and common law, industry standards, representations made to plaintiff and class members, and because it is foreseeable that the exposure of private information to unauthorized persons — and especially hackers with nefarious intentions — will harm the affected individuals, including by invasion of their private health and financial matters.”

The Settlement

Yale New Haven has agreed to fund an $18 million all cash settlement fund.

Attorneys may receive one-third of the settlement fund, or $6 million, plus reimbursement of costs. A handful of class representatives will each receive $2,500 service awards.

All settlement class members can submit claims to get reimbursed for:

• Up to $5,000 for documented losses caused by the data security incident, or
• An alternative cash payment of about $100 (distributed on a pro rata basis).

While $18 million is a sizable settlement, the amount allocated to each of the 5.55 million individuals impacted by the data breach is relatively modest.

After deducting attorneys’ fees, expenses, service awards, and other costs, the remaining fund will be less than $11.5 million. If all 5.55 million claims are filed, each person would receive roughly $2.00. If only 20% of the class files claims, the average payout per person would be about $10.

Class members may also claim two years of medical data monitoring.

Yale New Haven has also agreed to separately fund “meaningful data security measures” to better protect individuals’ private information from future security breaches.

Yale New Haven Moves Forward

Litigation is expensive and its outcome is uncertain.

By settling the lawsuit, Yale New Haven can reduce its financial risks and start rebuilding its reputation. It also prepares the organization for the inevitable HIPAA investigation by the HHS Office for Civil Rights (OCR).

OCR reviews all breaches involving 500 or more records. We don’t know if Yale New Haven had effective HIPAA compliance—did they have policies, procedures, and workforce training? Did they conduct a HIPAA risk assessment? These are the questions OCR will ask.

However, by focusing on new data security measures and cybersecurity improvements now, Yale New Haven can position itself to resolve an OCR investigation more smoothly, avoiding the distractions and costs associated with litigation.