Data Privacy,
Data Security,
Healthcare
March Breach Affected Nearly 5.6 Million; NextGen Proposed Settlement Also Reached
In a significant cybersecurity incident, Yale New Haven Health System, the leading healthcare provider in Connecticut, has reached an agreement to pay $18 million to resolve proposed class action litigation related to a breach reported in March. The incident is acknowledged as the most substantial health data breach disclosed to federal regulators in 2025.
The breach, which involved unauthorized access to the organization’s IT network, impacted nearly 5.6 million individuals. This was publicly disclosed on March 11, following the detection of unusual activity on March 8. A preliminary court approval of the settlement was granted on Tuesday, with a final approval hearing scheduled for March 3, 2026.
The data potentially compromised included various demographic details such as names, dates of birth, addresses, and Social Security numbers. However, it was confirmed that the hackers did not penetrate the Epic electronic medical records system or access financial information.
Details of the Settlement
Numerous lawsuits emerged in the wake of the breach, culminating in a consolidated class action complaint filed in June. The plaintiff’s allegations included negligence and breach of contract, among others. As outlined in the settlement, Yale New Haven Health has established an $18 million cash settlement fund, from which class members may claim up to $5,000 for verified losses or opt for an approximate $100 cash payout. Additionally, class members are eligible for two years of complimentary medical data monitoring.
Experts in data breach litigation noted that swift settlements are often pursued by high-profile organizations like Yale New Haven Health to mitigate reputational damage while also aiming to limit financial liabilities. This strategic approach to settlement may lead to minimal payouts for affected individuals, especially when costs associated with legal fees are factored in.
Yale New Haven Health has committed to enhancing its cybersecurity measures to prevent future incidents. The breach serves as a stark reminder of the evolving nature of cyber threats within the healthcare sector, emphasizing the need for robust data protection strategies.
NextGen Data Breach Settlements
In a related series of developments, legal representatives have requested preliminary approval from a Georgia federal court for a $19.37 million settlement regarding a hacking incident involving NextGen, an electronic health record vendor. This breach in 2023 reportedly affected approximately 1 million individuals.
Under the terms of the proposed settlement, each affected individual may claim compensation for verifiable losses up to $7,500, with provisions for lost time reimbursement and alternative cash payments. All class members will also receive three years of identity and credit monitoring, showcasing a growing trend among companies to offer protective measures following data breaches.
