Tim Tai

Yale New Haven Health System, or YNHHS, is facing at least eight federal lawsuits following a March 8 cybersecurity breach.

The breach, which allowed an unauthorized third party to access sensitive patient information, has led to class action filings from law firms across the country. Plaintiffs allege that the health system failed to protect personally identifiable and health information, such as Social Security numbers and medical record numbers, and that it waited too long to clearly notify affected patients.

Plaintiffs seek damages, free lifetime identity protection and an overhaul of the health system’s cybersecurity practices. While YNHHS has acknowledged the breach and begun mailing notification letters, its statement avoided specifics on how the attack occurred or how many patients were affected.

“Without these details, plaintiff’s and class members’ ability to mitigate harms from the data breach is severely diminished,” attorneys for one of the plaintiffs wrote in a complaint filed April 16. 

The breach was first detected on March 8, when YNHHS identified unusual activity in its information systems. According to a statement posted on the health system’s website, external cybersecurity experts were immediately engaged to assist with containment and investigation. The system later confirmed that a third party had accessed patient data, including names, dates of birth, contact details, race or ethnicity, Social Security numbers and medical record numbers. However, electronic medical records and financial accounts were not affected, according to the statement.

As of April 24, the data breach has been officially listed on the U.S. Department of Health and Human Services’ Office for Civil Rights breach portal, which confirms that YNHHS has formally reported the breach, in compliance with federal law. The federal listing indicates that it affected approximately 5.5 million individuals. 

YNHH Director of Public Relations Dana Marnane told the News that the health system reported the incident to law enforcement and offers credit monitoring and identity protection to patients whose Social Security numbers were involved. 

Marnane declined to comment on the lawsuits, but reiterated that YNHHS “takes [its] responsibility to safeguard patient information incredibly seriously.”

“Plaintiffs now face a lifetime risk of identity theft due to the nature of the information lost, which they cannot change,” attorneys in another lawsuit wrote in a complaint filed in the District of Connecticut​.

The lawsuits allege that YNHHS failed to encrypt files, train employees on data security or implement basic protections like multi-factor authentication. Plaintiffs also argue that the system did not follow its own privacy policies, which pledge to secure sensitive patient data and delete it when no longer needed. In some cases, patients say they were unaware of the breach until contacted by attorneys or media.

Jon Nathanson, a plaintiff from Fairfield, Connecticut, said he has faced an increase in spam calls and phishing attempts since the incident. He is one of several plaintiffs alleging emotional distress and long-term risks as a result of the breach. The lawsuits further claim that YNHHS’s notification to patients lacked specificity and delayed their ability to take protective action.

“The information YNHHS provided amounts to no real disclosure at all,” Nathanson’s attorneys wrote. “It fails to inform plaintiffs of the data breach’s critical facts with any degree of specificity.”​

Other lawsuits, filed by patients from across Connecticut, also claim that YNHH violated its own privacy promises and its legal obligations under HIPAA and Federal Trade Commission standards. All complaints reviewed by the News state that patients would not have entrusted their data to YNHH had they known it would be inadequately secured.

“Plaintiff and class members now face a lifetime risk of identity theft due to the nature of the information lost, which they cannot change and which cannot be made private again,” reads one complaint. 

Levi & Korsinsky, one of the firms investigating the breach, described the incident as an example of insufficient data protections in a sector that handles some of the most sensitive personal information.

“Companies that fail to secure your personal data may be held liable for the resulting harm,” the firm wrote in a public statement.

Yale New Haven Health System was formed in 1996 through a partnership between Bridgeport and Yale New Haven hospitals.