The Yale New Haven Health System (YNHHS) has reached an agreement to create an $18 million settlement fund in response to a class action lawsuit regarding a data breach that compromised patient information. A federal judge provisionally approved the settlement last week.
While YNHHS denies any wrongdoing or liability concerning the data breach, the health system will establish the fund to address legal fees and administrative expenses for those affected by the incident. According to the settlement filed on September 10, individuals impacted by the breach can claim reimbursement of up to $5,000 for verified losses or choose a cash payment of approximately $100.
“We take our responsibility to safeguard patient information extremely seriously,” stated YNHHS spokesperson Carmen Chau. “YNHHS had thorough cybersecurity protocols in place in alignment with industry-wide best practices, and due to our team”s quick action to identify and contain this issue, we were able to maintain uninterrupted patient care and prevent access to patients” clinical information.”
The settlement not only includes the financial compensation but also mandates “injunctive relief in the form of meaningful data security measures.” Approximately $6 million of the settlement will be allocated to attorney fees, while selected class representatives will receive service awards of $2,500.
During the cybersecurity incident in March, unauthorized access led to the theft of sensitive data, including demographic information, social security numbers, patient types, and medical record numbers. However, YNHHS clarified at the time that “YNHHS” electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident.”
On April 11, YNHHS provided a more detailed account of the breach, following which, on April 16, the plaintiffs initiated a class action lawsuit against the health system. The lawsuit accused YNHHS of failing to adequately protect the private information it collected and maintained, claiming that it did not implement industry standards for data security necessary to prevent, detect, and halt cyberattacks. Additionally, they alleged that YNHHS delayed too long in notifying patients about the breach.
In court documents, YNHHS has “denied all liability and all allegations of wrongdoing of any kind.” The health system indicated that the decision to settle was made to “avoid the further expense, inconvenience, and distraction of burdensome and protracted litigation,” according to court filings.
The final approval hearing for the settlement is slated for March 3, 2026, in Bridgeport, Connecticut, where a federal judge will decide whether to formally approve the arrangement. Claimants must file their claims by January 19, 2026.
Looking ahead, YNHHS has expressed its commitment to enhancing data security measures. “We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future,” Chau added.
According to its website, Yale New Haven Hospital employs more than 12,000 staff members and collaborates with 4,500 university and community physicians.
