Yale New Haven Health Agrees to $18 Million Data Breach Settlement

Posted by Steve Alder

An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians.

The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information.

While its electronic medical record system was not accessed, the stolen files contained patient information, including names, addresses, telephone numbers, email addresses, dates of birth, race/ethnicity information, patient types, medical record numbers, and Social Security numbers. At more than 5.5 million affected individuals, the data breach was, and still is, the largest healthcare data breach of the year.

The cyberattack was announced quickly, reported to OCR well within the breach reporting deadline, and notification letters were issued promptly. Yale New Haven Health has also agreed to settle the resultant litigation quickly. Data breach lawsuits can take many months and even years to resolve, yet in this case, a settlement has been approved to resolve the litigation in just 7 months. The first lawsuit over the data breach was filed in March 2025, followed by 17 additional complaints, which were consolidated into a single action in June 2025 – In Re: Yale New Haven Health Services Corp. Data Breach – in the U.S. District Court for the District of Connecticut.

The plaintiffs alleged in the consolidated lawsuit that Yale New Haven Health had failed to implement reasonable and appropriate cybersecurity measures to secure the data stored on its network, and had reasonable measures been implemented, the data breach could have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and declaratory judgment.

Yale New Haven Health denied all claims in the lawsuit and filed a motion to dismiss in July, with the plaintiffs filing their opposition in August. At the end of August, all parties attended mediation, and the material terms of a settlement were agreed upon. The details of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Yale New Haven Health has agreed to establish an $18,000,000 settlement fund to cover all costs associated with the litigation – Attorneys’ fees and expenses, service awards for the lead plaintiffs, and settlement administration costs. The remainder of the settlement fund will be used to pay benefits to the class members. The attorneys are seeking one-third of the settlement, and the service awards are likely to be $2,500 per named plaintiff.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative cash payment. The cash payments are anticipated to be approximately $100 per class member. The pro rata cash payments may increase or decrease depending on the number of valid claims received, and will exhaust the settlement fund. In addition to either of those benefits, class members may also claim a two-year complimentary membership to a medical data monitoring service. Yale New Haven Health has also agreed to implement security enhancements.  The final approval hearing has been scheduled for March 3, 2026.

April 24, 2025: Yale New Haven Health System Announces 5.5-Million Record Data Breach

Yale New Haven Health System has announced a data security incident that has affected more than 5.5 million individuals. The breach report to the HHS’ Office for Civil Rights indicates up to 5,556,702 individuals had their protected health information compromised in the incident, making it the largest healthcare data breach to be reported so far this year, beating the previous record of 4.7 million individuals set this month by Blue Shield of California.

Yale New Haven Health is a nonprofit health system in New Haven, Connecticut, that includes five acute-care hospitals, a medical foundation, and multiple outpatient facilities and multispecialty centers in Connecticut, New York, and Rhode Island. On March 8, 2025, anomalous activity was identified within its information technology systems. Immediate action was taken to contain the incident, and an investigation was launched to assess the nature and scope of the unauthorized activity. Yale New Haven Health announced the security incident on its website 3 days after it was detected.

Yale New Haven Health engaged the cybersecurity firm Mandiant to assist with the investigation and said the rapid response helped to ensure it was contained and prevented disruption to patient care. Yale New Haven Health has confirmed that an unauthorized third party gained access to its network on March 8, 2025, and exfiltrated files, some of which included patient information. There was no unauthorized access to its electronic medical record system, and no financial information was compromised in the incident. The types of data stolen in the cyberattack varied from individual to individual and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, patient type, medical record number, and/or Social Security number.

Yale New Haven Health said it continuously updates and enhances its systems to protect sensitive data and will continue to do so. Individual notification letters started to be mailed to the affected individuals on April 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

While questions will be asked about how hackers managed to access such a vast amount of patient data, Yale New Haven Health should at least be commended for the rapid response, transparency, and prompt breach notifications, which started to be sent on April 14, 2025.

The post Yale New Haven Health Agrees to $18 Million Data Breach Settlement appeared first on The HIPAA Journal.

Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients

Posted by Steve Alder

Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly occurred in February 2025. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated without the patients’ knowledge or consent.

Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. The nature of the photographs was not disclosed to the patients. According to Zazaur, the patients were informed that the photographs were “unflattering” and “horrible.” They were not told how many photographs were taken, exactly what the photographs showed, and were not allowed to see any of the images.

One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. At least two of the affected patients are taking legal action for invasion of privacy and are being represented by Zarzaur.

“Upon learning of the allegation, we immediately conducted a preliminary investigation and notified the appropriate authorities and the patients,” explained a spokesperson for Jay Hospital. “Following the investigation, the individuals involved were terminated. We are committed to protecting the privacy, safety, and dignity of our patients. As this matter involves patient privacy and is currently under investigation, we are unable to share further details at this time.”

The sharing of protected health information (PHI) for reasons unrelated to treatment, payment, or hospital operations is not permitted by the HIPAA Privacy Rule, unless consent is obtained from the subject of the PHI.  Photographs of patients are classed as PHI, and the employees clearly violated HIPAA as well as ethical and professional standards.

The post Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients appeared first on The HIPAA Journal.

Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation

Posted by Steve Alder

Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information.

The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and health insurance information had been exposed and potentially stolen.

Two class action lawsuits were filed in response to the breach, which were consolidated into a single complaint – In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation – in the Court of Common Pleas for Hamilton County, Ohio. The consolidated complaint alleged the defendant had failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all claims of wrongdoing and liability.

All parties attended mediation, and while a settlement was not agreed upon, following months of continued negotiations, a settlement in principle was agreed to resolve the litigation that was acceptable to all parties. The settlement agreement has recently received preliminary approval from the court. Under the terms of the settlement, GCBHS has agreed to pay a maximum of $850,000 to resolve the litigation, inclusive of attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. There are approximately 61,850 individuals in the settlement class.

Class members may submit a claim for reimbursement of documented, unreimbursed losses up to a maximum of $5,000 per class member. A pro rata cash payment can be claimed, which is expected to be in the range of $60 to $120. Additionally, all class members are entitled to claim a one-year subscription to the three-bureau CyEx Medical Shield service. The deadline for objection to and exclusion from the settlement is November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final approval hearing has been scheduled for January 14, 2026.

The post Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members

Posted by Steve Alder

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.