A data breach at Yale New Haven Health (YNHHS) has exposed data belonging to millions of people – and lawsuits have already been filed.
YNHHS runs more than 360 locations across Connecticut, New York, and Rhode Island, and is notifying patients that their personal data might have been affected.
According to an entry on the US Department of Health and Human Services breach portal, the data breach impacted 5,556,702 patients.
"The information involved varied by patient, but may have included demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number," said YNHHS.
"YNHHS’ electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident."
The breach was first discovered on March 8th when YNHHS spotted unusual activity affecting its IT systems. The organization took steps immediately to contain the incident and began an investigation with the help of external cybersecurity experts from Mandiant.
It also reported the incident to law enforcement. However, patients weren't notified of the breach until late April.
It's now offering complimentary credit monitoring and identity protection services, but only to those whose Social Security number was involved.
Yale New Haven Health faces legal action
Legal action has already been launched. Hartford law firm Cicchiello & Cicchiello has filed two identical lawsuits in the Connecticut District Court on behalf of Michael Liparulo of New London and Jon Nathanson of Fairfield.
The lawsuits allege YNHHS failed to protect personally identifiable and health information, and took too long to notify patients.
Similarly, the cases claim IT practitioners failed to encrypt files, train employees on data security, or implement basic security measures such as multi-factor authentication.
They’re calling for damages, free lifetime identity protection, and major changes to the health system’s cybersecurity practices.
Healthcare in the crosshairs
Healthcare organizations are a prime target for hackers thanks to the vast amount of highly personal data that they hold. According to recent research from Trustwave, for example, 21% of all ransomware attacks worldwide are targeted at public health and government healthcare organizations.
The study found that 45% of attacks exploited public-facing applications and 56% of public-facing applications exploited were against Log4j, with 9% of all attacks coming from the threat group RansomHub.
Third-party threats within supply chains continue to pose 'significant' risks, the researchers found.
"Healthcare artificial intelligence and technology adoption presents a spectrum of risks that few other industries need to navigate. The risk is not just incredibly sensitive data privacy, but human life and quality of patient care," said Kory Daniels, CISO at Trustwave.
"Complex supply chains, lapses in patches and credential management all have consequences too serious for anyone in the healthcare industry to ignore".
MORE FROM ITPRO
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Healthcare organizations need to shake up email security practices
- More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
-
April rundown: MITRE frights and Microsoft launches Recall (again)ITPro Podcast As CISA delivered an eleventh-hour reprieve for the CVE database, AWS reportedly began to pause some data center leases
-
What AI models are best for vibe coding?News Vibe coding had become the latest big trend in software development, but research shows this can yield decidedly insecure code.
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacksNews Two US healthcare organizations have warned threat actors were able to breach their internal systems, exposing more than 300,000 individuals.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Cyber attack delayed cancer treatment at NHS hospitalNews A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
850,000 patients may have been affected in the Globe Life breach after firm revises victim listNews US insurer Globe Life has revealed more than 850,000 patients may have been impacted in a data breach after initially believing only around 5,000 were impacted.
-
HPE confirms data breach probe after IntelBroker claimsNews IntelBroker claims to have stolen HPE source code in the breach
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
