Full Report
Yale New Haven Health is Connecticut's largest healthcare provider.
Analysis Summary
# Incident Report: Yale New Haven Health Data Breach (5.5 Million Records)
## Executive Summary
Yale New Haven Health (YNHHS), Connecticut's largest healthcare system, suffered a major cyberattack in March 2025 that resulted in the compromise of sensitive patient data for over 5.5 million individuals. Malicious hackers successfully accessed and exfiltrated personally identifiable information (PII) and protected health information (PHI). The incident was disclosed via a legally required notice to the U.S. government health department.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the breach occurred in March 2025 and was recently disclosed (April 25, 2025 publication date).
- **Incident Date:** March 2025
- **Affected Organization:** Yale New Haven Health (YNHHS)
- **Sector:** Healthcare
- **Geography:** Connecticut, USA
## Timeline of Events
### Initial Access
- **Date/Time:** March 2025 (Timeframe of entry)
- **Vector:** Cyberattack (Specific initial vector not detailed in the source)
- **Details:** Malicious hackers gained unauthorized access to YNHHS systems.
### Lateral Movement
- **Details:** The attackers were able to move within the network environment to obtain copies of patient data. (Specific techniques not detailed).
### Data Exfiltration/Impact
- **Details:** Attackers obtained copies of patients’ Personally Identifiable Information (PII) and some healthcare-related data.
### Detection & Response
- **Details:** The incident was confirmed and reported via a legally required notice to the U.S. government’s health department. YNHHS posted a notice on its website regarding the breach.
## Attack Methodology
*Note: Specific technical details of the attack methodology were not provided in the source text, therefore, this section reflects the high-level impact described.*
- **Initial Access:** Cyberattack (Mechanism unknown)
- **Persistence:** Unknown
- **Privilege Escalation:** Unknown
- **Defense Evasion:** Unknown
- **Credential Access:** Unknown
- **Discovery:** Unknown
- **Lateral Movement:** Successful reconnaissance/movement to access the data set.
- **Collection:** Gathering of PII and healthcare data.
- **Exfiltration:** Successful copying/removal of data.
- **Impact:** Compromise of over 5.5 million patient records.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Over 5.5 million individuals affected. Stolen data includes: patient names, dates of birth, postal and email addresses, phone numbers, race and ethnicity data, **Social Security numbers**, medical record numbers, and information about types of patients.
- **Operational:** Not specified, though significant security response implications are implied.
- **Reputational:** Significant negative impact due to the scale of the breach affecting the state's largest healthcare system.
## Indicators of Compromise
*No specific IOCs (IPs, hashes, domain names) were provided in the source material.*
- **Network indicators:** None available.
- **File indicators:** None available.
- **Behavioral indicators:** Unauthorized access, data copying/exfiltration.
## Response Actions
- **Containment measures:** Not detailed.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Notification procedures were initiated (posting on the website and notifying the U.S. government health department).
## Lessons Learned
- The volume of affected individuals is subject to change as the investigation progresses.
- Healthcare systems remain a high-value target for sophisticated cybercriminals.
## Recommendations
- Conduct a thorough forensic investigation to determine the exact initial access vector and TTPs (Tactics, Techniques, and Procedures) used by the malicious actors.
- Review and enhance access controls and encryption measures for databases containing PII and sensitive PHI, especially Social Security Numbers.
- Implement enhanced monitoring to detect unauthorized data staging and exfiltration associated with discovery and lateral movement activities.