Ximena Solorzano, Head Photography Editor

The Yale New Haven Health System has agreed to finance an $18 million settlement fund in response to a class action lawsuit about a data breach that allowed an unauthorized third party to access patients’ information. 

Last week, a federal judge preliminarily approved the settlement. Although YNHHS denies any liability or wrongdoing for the data breach, the health system will establish a settlement fund to cover legal fees and administrative costs for individuals who were affected by the breach. According to the settlement, which was filed on Sept. 10, impacted patients may seek reimbursement of up to $5,000 for documented losses resulting from the breach or opt for a cash payment of approximately $100.

“We take our responsibility to safeguard patient information extremely seriously,” YNHHS spokesperson Carmen Chau wrote in a statement. “YNHHS had thorough cybersecurity protocols in place in alignment with industry-wide best practices, and due to our team’s quick action to identify and contain this issue, we were able to maintain uninterrupted patient care and prevent access to patients’ clinical information.”

In addition to the $18 million settlement fund, the settlement includes “injunctive relief in the form of meaningful data security measures.” According to the settlement, about $6 million will be allocated to attorney fees, and select class representatives will receive $2,500 service awards.

During the March cybersecurity breach, the unauthorized party stole data including demographic information, social security numbers, patient type and medical record numbers. However, according to a YNHHS statement at the time, “YNHHS’ electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident.”

On April 11, YNHHS released a more detailed explanation of the incident. Shortly after, on April 16, plaintiffs filed a class action lawsuit against YNHHS, alleging that the health system failed to “safeguard their private information it collected and maintained, including by failing to implement industry standards for data security to protect against, detect, and stop cyberattacks.” They also claimed that YNHHS waited too long to inform patients. 

In court documents, YNHHS “denies all liability and all allegations of wrongdoing of any kind.” The health system said it agreed to the settlement to “avoid the further expense, inconvenience and distraction of burdensome and protracted litigation,” according to court records. 

The final approval hearing for the settlement is scheduled for March 3, 2026, in Bridgeport, Connecticut, and a federal judge will determine whether the settlement should be approved. The deadline to file a claim for the settlement is Jan. 19, 2026.

Going forward, YNHHS has said it remains committed to strengthening data security measures.

“We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future,” YNHHS spokesperson Carmen Chau wrote.

Yale New Haven Hospital has over 12,000 employees and 4,500 university and community physicians, according to the hospital’s website.