On March 8, 2025, a criminal third party gained unauthorized access to Yale New Haven Health Services Corporation's network and stole files containing personal information belonging to approximately 5.6 million patients. It was one of the largest healthcare data breaches in U.S. history. If you received care through any Yale New Haven Health facility, here is what happened, what was taken, and exactly what you should do now to protect yourself.
What Happened
YNHHS detected unusual activity on its network on March 8, 2025, and an investigation confirmed that a criminal third party had accessed its systems and exfiltrated files containing patient data. The breach affected 5,556,720 individuals. Notification letters were mailed starting April 14, 2025, and a dedicated call center was established at 1-855-549-2678. An $18 million class action settlement was subsequently reached, with final approval on March 3, 2026.
Key Facts About the Yale New Haven Health Breach
Date of breach: March 8, 2025. Individuals affected: 5,556,720. Data stolen: Names, addresses, phone numbers, email addresses, dates of birth, race/ethnicity, patient types, medical record numbers, and Social Security numbers. Data NOT compromised: Electronic medical records (EMR) and financial information were not accessed. Settlement: $18 million class action with final approval on March 3, 2026.
What Information Was Exposed
The stolen files contained sensitive personal and demographic data:
- Full names
- Home addresses
- Telephone numbers
- Email addresses
- Dates of birth
- Race and ethnicity information
- Patient type classifications
- Medical record numbers
- Social Security numbers
One important distinction: YNHHS stated that electronic medical records and treatment information were not compromised in this breach, nor was financial account information. However, the combination of Social Security numbers, dates of birth, and medical record numbers creates serious risks for both financial fraud and medical identity theft.
Immediate Steps to Take
1. Determine if You Were Affected
If you received care at any Yale New Haven Health facility, check whether you received a notification letter. Letters were mailed starting April 14, 2025. You can also call the dedicated call center at 1-855-549-2678 to confirm whether your data was involved. Do not assume you were unaffected simply because you did not notice a letter — with 5.6 million people impacted, notifications may have been sent to outdated addresses.
2. Freeze Your Credit at All Three Bureaus
Because Social Security numbers were among the stolen data, freezing your credit is the single most important step you can take. A credit freeze prevents anyone — including criminals — from opening new accounts in your name. Contact each bureau directly:
- Equifax: 800-525-6285 or equifax.com
- Experian: 888-397-3742 or experian.com
- TransUnion: 800-680-7289 or transunion.com
Credit freezes are free, take only a few minutes per bureau, and do not affect your credit score. You can temporarily lift a freeze whenever you need to apply for credit.
3. Place a Fraud Alert
Place an initial fraud alert with one of the three bureaus — they are required to notify the other two. A fraud alert requires creditors to verify your identity before opening new accounts. It lasts one year and is free.
4. Enroll in the Free Monitoring Offered
As part of the settlement, all class members can elect to receive two years of free medical data monitoring services. Enroll in this immediately. While credit monitoring alone is not sufficient protection, it provides an additional layer of detection for suspicious activity tied to your medical records and identity.
5. Monitor Your Medical Records
Request a copy of your medical records from YNHHS and any other healthcare providers you visit. Review them carefully for any entries, diagnoses, prescriptions, or procedures that are not yours. Medical identity theft can corrupt your records with someone else's medical history — a situation that can be dangerous if it leads to incorrect treatment decisions.
Medical Identity Theft Is Harder to Detect and Fix
Unlike credit card fraud, which is often caught within days, medical identity theft can go undetected for months or years. Criminals may use your stolen medical record numbers and personal details to file fraudulent insurance claims, obtain prescription drugs, or receive medical care in your name. Corrupted medical records can contain incorrect blood types, allergies, or diagnoses — putting your health at risk. Review every Explanation of Benefits (EOB) statement you receive from your insurer and dispute any claims you do not recognize.
The $18 Million Settlement
A class action lawsuit was filed on behalf of the 5.6 million affected individuals, resulting in an $18 million settlement that received final court approval on March 3, 2026. Here is what affected patients should know:
- Documented losses: Class members can file claims for up to $5,000 to cover documented out-of-pocket expenses caused by the breach. This includes costs related to identity theft, fraud, credit monitoring services you purchased, and time spent dealing with the aftermath.
- Alternate cash payment: Class members who do not have documented losses can receive an estimated $100 alternate pro rata cash payment.
- Medical data monitoring: All class members can elect to receive two years of free medical data monitoring services regardless of which payment option they choose.
If you have not yet filed a claim, check the official settlement website or call 1-855-549-2678 for current deadlines. Keep records of any breach-related expenses, including time spent on calls, postage, monitoring fees, and fraudulent charges.
Ongoing Protection Against Medical Identity Theft
Stolen data circulates on dark web marketplaces for years. Protecting yourself requires ongoing vigilance, not a one-time response.
Warning Signs of Medical Identity Theft
- EOB statements showing claims for services you did not receive
- Bills from healthcare providers you have never visited
- Collection notices for medical debts you do not owe
- Errors in your medical records, such as incorrect diagnoses or medications
- Your health insurance reaching its benefit limit unexpectedly
- Being denied coverage because records show a condition you do not have
Steps for Ongoing Monitoring
- Review every EOB statement from your insurance company. Do not discard them — check each one for unfamiliar claims.
- Request your medical records at least once a year from every provider and review them for accuracy.
- Check your credit reports regularly at AnnualCreditReport.com for accounts or inquiries you do not recognize.
- File an IRS Identity Protection PIN at irs.gov/ippin to prevent fraudulent tax returns filed with your stolen SSN.
Watch for Scams Exploiting This Breach
After any high-profile data breach, scammers move quickly to exploit the situation. Be alert for:
- Fake settlement emails or texts: Criminals may impersonate the settlement administrator, asking you to click a link to "verify your claim." Always go directly to the official settlement website — never click links in unsolicited messages.
- Impersonation calls: Scammers may call pretending to be from YNHHS, your insurer, or a government agency. If someone calls claiming to be from Yale New Haven Health, hang up and call 1-855-549-2678 directly.
- Fake monitoring services: Be wary of unsolicited offers for "identity protection" that require payment or personal information upfront. The legitimate monitoring through the settlement is free.
- Phishing using your real data: Because the breach exposed names, addresses, dates of birth, and medical details, phishing attempts may be highly personalized. Any communication that creates urgency should be treated with suspicion.
Remove Your Data From Broker Sites
The personal information stolen in this breach is exactly the type of data that data brokers already collect and sell. When criminals combine breached data with details freely available on people-search websites, they can build comprehensive identity profiles that make fraud significantly easier.
Manually opting out of data broker sites is possible but extremely time-consuming — there are over 100 major sites, each with its own process, and many re-list your information within weeks. PrivacyOn automates removal from over 100 data broker sites and provides 24/7 monitoring to catch re-listings before they become a problem. With family plans covering up to 5 people starting at $8.33 per month, PrivacyOn also includes dark web monitoring to alert you if your stolen information surfaces on underground marketplaces — a critical concern after a breach of this scale.
Reducing the amount of personal data available about you online is one of the most effective ways to limit the damage from any data breach, including this one.
Take Action Now
If you were a patient at any YNHHS facility, assume your data was compromised and act now: freeze your credit, file your settlement claim, enroll in the free monitoring, and begin reviewing your medical records and insurance statements for signs of fraud.
Stolen healthcare data has a long shelf life. The criminals who stole this information may not use it for months or even years. The steps you take today — freezing your credit, monitoring your records, and reducing your exposed personal data — will protect you not just from this breach but from the cascading fraud that follows when stolen data is combined, resold, and exploited.