Data Privacy
,
Data Security
,
Healthcare
March Breach Affected Nearly 5.6 Million; NextGen Proposed Settlement Also Reached
Yale New Haven Health System, the largest healthcare organization in Connecticut, has agreed to pay $18 million to settle proposed class action litigation involving a March hacking incident affecting nearly 5.6 million people. The hack ranks as the biggest health data breach reported to federal regulators so far in 2025.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
A federal court granted preliminary approval of the settlement on Tuesday, and a final approval court hearing is set for March 3, 2026.
Yale New Haven Health has more than 12,000 employees and 4,500 university and community physicians in 100 medical specialties who provide healthcare services in numerous locations through Connecticut, including its flagship Yale New Haven Hospital, a teaching hospital for Yale’s School of Medicine.
The settlement in the consolidated proposed class action lawsuit came relatively swiftly – only about seven months after Yale New Haven Health publicly disclosed on March 11 that on March 8 it discovered “unusual activity” affecting its IT systems, and that an “unauthorized third-party” had gained access to its IT network.
By April 11, Yale New Haven Health reported to the U.S. Department of Health and Human Services a HIPAA breach involving a hacked network server affecting more than 5.55 million individuals (see: Yale New Haven Health Notifying 5.5 Million of March Hack).
The organization said in its breach notice that hackers did not access the health system’s Epic electronic medical record and treatment information, and no financial account or payment information was involved.
The information accessed or stolen by the attackers varied by patient, but potentially included demographic information – such as name, date of birth, address, telephone number, email address, race or ethnicity, Social Security number, patient type and medical record number, Yale New Haven Health said.
YNHHS Settlement Details
Several lawsuits were filed in the weeks following the hack. Plaintiffs subsequently in June filed a consolidated class action complaint accusing Yale New Haven Health of negligence, breach of implied contract, unjust enrichment, among several other allegations.
Under the settlement terms, Yale New Haven Health agreed to fund an $18 million non-reversionary all cash settlement fund. Settlement class members can submit claims for the reimbursement of up to $5,000 for documented losses arising from the data security incident – or an alternative cash payment of approximately $100.
Class members can also make a claim for two years of medical data monitoring.
Class representatives are slated to each receive $2,500 service awards. Class counsel is seeking one-third of the settlement fund, or $6 million, in attorneys’ fees, plus reimbursement of costs.
In addition, YNHHS has agreed to separately fund “meaningful data security measures” to better protect individuals’ private information from future data security incidents, court documents said.
“Class action plaintiffs can count on speedy settlements because prestigious defendants like Yale New Haven Health hurry to stanch reputational bleeding,” said regulatory attorney Paul Hales of the Hales Law Group, which is not involved in the YNHHS case.
“Defendants also seek to limit their monetary loss. Here, YNHHS’ loss is limited to $18 million, of which plaintiffs’ counsel receives one-third. The prospect of a $100 alternative payout to victims is illusory because it is ‘pro rata,'” he said.
“After attorneys’ fees and costs are deducted, the amount for distribution to 5.55 million affected individuals is less than $12 million. On a pro rata basis, split among 5.55 million individuals, that is a little more than $2 per person.”
Attorneys representing the plaintiffs and class members in the case did not immediately respond to Information Security Media Group’s requests for comment on the settlement.
Also, Yale New Haven Health did not immediately respond to ISMG’s request for comment on the settlement and for additional details about the data breach and the security improvements being implemented in the aftermath of the hack.
Proposed NextGen Data Breach Lawsuit Settlement
In a separate case on Wednesday, attorneys asked a Georgia federal court to approve a preliminary $19.37 million settlement in consolidated class action litigation file against electronic health record vendor NextGen in the wake of a 2023 hacking incident that affected about 1 million individuals (see: NextGen Facing Dozen Lawsuits So Far Following Breach).
Under that proposed settlement, each class member can submit a claim for verifiable out-of-pocket losses up to $7,500; lost time of up to $250 – or up to 10 hours at $25 per hour; or an alternative cash payment of $50, subject to pro rata adjustment. California class members can each submit a claim for an alternative cash payment of up to $150.
All NextGen settlement class members also are entitled to enroll in three years of free identity and credit monitoring.
As of Friday the court had not yet set a hearing date for preliminary approval of the NextGen settlement.