A federal court judge issued preliminary approval to Yale New Haven Health’s $18 million settlement proposal to resolve claims arising from a 2025 data breach. Non-profit health system Yale New Haven Health manages five acute care hospitals, including the Yale School of Medicine, a medical foundation, and some outpatient services in Rhode Island, Connecticut, and New York. The health system has over 12,000 employees, which includes 4,500 university and community doctors.
On April 11, 2025, the health system reported the data breach to the HHS’ Office for Civil Rights that affected the protected health information (PHI) of 5,556,702 people. New Haven Health, based in Connecticut, found suspicious system activity on March 8, 2025, and announced the breach on its website after three days. Later, Yale New Haven Health stated that hackers gained access to its system on March 8, 2025, and extracted files that contained patient data.
Although the hackers did not access its electronic medical record system, the stolen records included patient data, such as names, telephone numbers, addresses, emails, birth dates, race/ethnicity details, medical record numbers, patient types, and Social Security numbers. With over 5.5 million affected people, this data breach became the biggest healthcare data breach of 2025.
Yale New Haven Health announced the cyberattack immediately, reported the breach to OCR within the allowed time frame, and issued the breach notification letters promptly. The health system agreed to resolve the litigation it faced immediately. Data breach lawsuits could take several months or years to settle, but in this instance, the court judge approved the settlement to resolve the lawsuit in only 7 months. In March 2025, the first lawsuit associated with the data breach was filed, and then 17 more complaints were filed. In June 2025, the lawsuits were combined into one action, In Re: Yale New Haven Health Services Corp. Data Breach, and filed in the U.S. District Court for the District of Connecticut.
The plaintiffs claimed in the combined lawsuit that Yale New Haven Health put in place reasonable and proper cybersecurity steps to safeguard the data kept on its system. If there were adequate safety measures in effect, the data breach might have been avoided. The litigation stated claims of breach of implied contract, negligence, negligence per se, unjust enrichment, declaratory judgment, and breach of fiduciary duty.
In July, Yale New Haven Health rejected all claims in the legal action and submitted a motion to dismiss the case. In August, the plaintiffs submitted their opposition. In late August, all parties joined in mediation, and agreed to the terms of a settlement. The particulars of the settlement have already been completed and accepted by the court. The terms of the settlement required Yale New Haven Health to create an $18,000,000 settlement fund to pay all expenditures related to the litigation, such as Attorneys’ fees and costs, lead plaintiffs’ service awards, and settlement management costs. The rest of the settlement fund will go to the class members’ benefits. The lawyers are seeking 33% of the settlement, and each plaintiff will likely get $2,500 service award.
Each class member could submit a claim to reimburse documented, unreimbursed losses because of the data breach up to $5,000. Alternatively, class members can claim a cash payment of roughly $100 each class member. The cash payments may be adjusted pro rata according to the number of legitimate claims submitted. Aside from those benefits, class members could also receive a free medical data monitoring service membership for two years. Yale New Haven Health likewise consented to put in place security improvements. The schedule of the final approval hearing is March 3, 2026.