Yale New Haven Health faces lawsuits over data breach; health system discloses more details about incident

HBJ FILE PHOTO Yale New Haven Health

Write a Comment

A Hartford law firm has filed two federal lawsuits that seek class action status on behalf of clients who claim they were harmed by a data breach that affected the Yale New Haven Health System (YNHHS).

The lawsuits were filed Wednesday in U.S. District Court for the District of Connecticut by Michael J. Reilly, a partner with Cicchiello & Cicchiello LLP, on behalf of Michael Liparulo of New London and Jon Nathanson of Fairfield.

YNHHS said in early March that it was investigating a cybersecurity incident that affected information technology (IT) services across its system.

At the time, YNHHS said the issue was immediately identified by its digital and technology solutions team, “who quickly began working to mitigate the issue and launched an investigation into its source.”

The health system said it also worked with Mandiant, a Virginia-based cybersecurity firm, to determine that the issue was, in fact, “a cybersecurity incident.”

YNHHS said it was notifying federal authorities of the incident and that Mandiant was conducting an investigation. It did not say what form the cybersecurity incident took, or whether any patient or staff information was compromised.

While YNHHS said it was notifying federal authorities, the incident is still not listed on the U.S. Department of Health and Human Services’ Office for Civil Rights Data Breach Portal, which is available online and lists all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights.

The two 52-page lawsuits, which are identical except for the names of the plaintiffs, state that YNHHS failed “to properly secure and safeguard Plaintiff’s and Class Members’ sensitive personally identifiable information (PII) and personal health information (PHI), which, as a result, is now in criminal cyberthieves’ possession.”

The lawsuits also state that YNHHS has “done nothing to provide Plaintiff and Class Members relief for the damages they have suffered as a result of the Data Breach."

The lawsuits accuse YNHHS of negligence, breach of implied contract and unjust enrichment. The latter charge stems from the claim that the health system was paid in part by the plaintiffs “to provide reasonable security, safeguards, and protections” for their personal information and failed to do so, so the plaintiffs and class should be reimbursed for that.

The complaints do not provide an estimate for the potential size of the affected class, but the health system serves thousands of patients across its facilities, which include Yale New Haven Hospital, Bridgeport Hospital, Greenwich Hospital and Lawrence + Memorial Hospital in New London.

In a statement emailed to Hartford Business Journal, YNHHS said it “can’t comment on pending litigation.”

The health system did say that it is “coordinating timely notification to all appropriate state and federal authorities” and that it has notified the federal Office of Civil Rights.

YNHHS also said that its investigation of the incident has determined that “an unauthorized third-party gained access to our network and, on March 8, 2025, obtained copies of certain data.”

It said the information involved varies by patient, “but may include demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number.”

YNHHS said its electronic medical record system was not involved nor accessed, and that “no financial accounts, payment information or employee HR information” was included.

The organization said it has begun mailing letters to patients whose information was affected “and providing appropriate resources, including offering complimentary credit monitoring and identity protection services to individuals whose Social Security number was involved.”

YNHHS said patients are also encouraged to review statements they receive from their healthcare providers and to immediately report any inaccuracies.

“We take our responsibility to safeguard patient information incredibly seriously, and we regret any concern this incident may have caused,” said Dana Marnane, director of public relations and communications for YNHHS. “We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future.”