The Yale New Haven Health data incident settlement established an $18 million fund to compensate approximately 5.6 million patients whose personal information was stolen in a March 2025 cyberattack — but the deadline to file a claim has already passed. If you received a postcard with a unique ID and PIN, you were eligible for up to $5,000 in reimbursement for documented losses, or roughly $100 as an alternative cash payment if you had no receipts to show. The claim submission deadline was February 18, 2026, and the official settlement website now confirms that the form is closed. That said, understanding this settlement still matters.
The Final Approval Hearing took place on March 3, 2026, and the court has not yet issued a widely reported ruling. If you already submitted a claim, you need to know what comes next and when payouts might arrive. If you missed the deadline, there may be limited options worth exploring. This article walks through the full timeline of what happened, who qualified, what the settlement offers, and what to expect going forward.
Table of Contents
- What Is the Yale New Haven Health Data Incident Settlement and Who Does It Cover?
- What Data Was Exposed and What Wasn’t Compromised?
- How Much Money Can Claimants Receive From the Settlement?
- How Were Claims Filed and What Did the Process Look Like?
- What Deadlines Have Passed and What Happens After Final Approval?
- What Is Medical Data Monitoring and Why Does It Matter Here?
- What Comes Next for Claimants and the Broader Impact of This Settlement
- Frequently Asked Questions
What Is the Yale New Haven Health Data Incident Settlement and Who Does It Cover?
On March 8, 2025, yale New Haven Health System detected unauthorized activity on its network — hackers had broken in and pulled patient files from systems serving hospitals and clinics across Connecticut, New York, and Rhode Island. The health system brought in Mandiant, a well-known cybersecurity firm, to investigate and contain the damage. Within three days, YNHHS went public with the breach. What followed was a flood of litigation: 18 separate lawsuits were filed starting in March 2025, later consolidated into a single action by June 2025. The $18 million settlement fund received preliminary approval from Judge Stefan R.
Underhill on October 21, 2025. The settlement class includes all living U.S. individuals who received a notice from YNHHS stating that their private information “may have been impacted” by the data incident. You did not need to prove that your data was actually misused — just that you were among the 5.6 million patients notified. For context, that patient count made this the largest healthcare data breach of 2025 by a wide margin. If you were a patient at any YNHHS-affiliated facility and received a mailed notification, you were automatically a class member unless you opted out before the January 20, 2026 exclusion deadline.
What Data Was Exposed and What Wasn’t Compromised?
The breach exposed a serious range of personal information: names, home addresses, dates of birth, phone numbers, email addresses, race and ethnicity data, Social Security numbers, patient types, and medical record numbers. That combination is enough to fuel identity theft, phishing campaigns, and fraudulent account openings for years. A stolen Social Security number paired with a date of birth and address gives criminals nearly everything they need to open credit lines or file fake tax returns in your name.
However, YNHHS was clear that its electronic medical record system was not accessed during the intrusion, and no financial information — such as credit card numbers or bank account details — was compromised. That distinction matters if you are evaluating your actual risk exposure. If your Social Security number was among the stolen data, you face a different and more severe threat profile than someone whose record only included a name and phone number. The settlement did not differentiate between these scenarios for eligibility purposes, but the type of data exposed should inform the monitoring steps you take on your own, even beyond what the settlement provides.
How Much Money Can Claimants Receive From the Settlement?
The settlement offers two tiers of compensation. The first covers documented out-of-pocket expenses caused by the breach, reimbursable up to $5,000 per claimant. This includes costs like credit monitoring services you purchased yourself, fees for credit freezes or fraud alerts, charges related to identity theft recovery, and time spent dealing with fraud at a reasonable hourly rate. For example, if you paid $30 per month for an identity protection service after receiving the breach notice, and you kept receipts or bank statements showing those charges, you could claim that amount along with any other related expenses.
The second tier is an alternative cash payment of approximately $100, available to class members who did not have documented losses but were still affected by the breach. The exact amount may shift depending on how many people filed claims — if the number of claimants exceeded projections, individual payments could be lower. The settlement also includes two years of free medical data monitoring, which is notable because standard credit monitoring would not flag misuse of medical record numbers or patient type information. Medical data monitoring fills a gap that most breach settlements ignore entirely.
How Were Claims Filed and What Did the Process Look Like?
Claims could be submitted online at yalenewhavensettlement.com or by mail. The online process required a unique ID and PIN, both printed on the postcards mailed to affected individuals. If you lost your postcard, the settlement administrator’s phone line at 1-877-730-7795 could help you retrieve your credentials. Mail-in claims were sent to: Yale New Haven Health Data Incident, Settlement Administrator, P.O. Box 5113, Portland, OR 97208-5113.
The tradeoff between the two claim types was straightforward but worth noting. Filing for the alternative cash payment required minimal documentation — essentially just confirming your identity and class membership. Filing for reimbursement of out-of-pocket losses required actual proof: receipts, bank statements, or other records showing what you spent and how it connected to the breach. Claimants who went the reimbursement route stood to receive significantly more money, but the documentation burden was real. Anyone who paid for identity protection but did not keep receipts may have been better off taking the alternative payment rather than filing an incomplete reimbursement claim that could be denied or reduced.
What Deadlines Have Passed and What Happens After Final Approval?
Every critical deadline in this settlement has now expired. The deadline to object to the settlement terms or to request exclusion from the class was January 20, 2026. The claim submission deadline was February 18, 2026. And the Final Approval Hearing before Judge Stefan R. Underhill took place on March 3, 2026, at 4:00 p.m. ET at the Richard C.
Lee U.S. Courthouse in New Haven, Connecticut. As of this writing, the outcome of that hearing has not been widely reported. If you missed the February 18 deadline, your options are extremely limited. Most class action settlements do not reopen their claims periods, and late filings are typically rejected by the settlement administrator. In rare cases, courts allow late claims if a claimant can demonstrate extraordinary circumstances — such as being hospitalized or incarcerated during the entire claims window — but this requires a formal motion and is far from guaranteed. If you believe you have a compelling reason for a late filing, consulting with a consumer rights attorney is the most practical next step, though expectations should remain modest.
What Is Medical Data Monitoring and Why Does It Matter Here?
The two years of free medical data monitoring included in this settlement addresses a risk that most people overlook after a healthcare breach. Unlike standard credit monitoring, which watches for new account openings and credit inquiries, medical data monitoring scans for signs that someone is using your health information to obtain medical services, prescriptions, or insurance benefits in your name. Medical identity theft can result in corrupted health records — imagine showing up at an emergency room and having a doctor reference a medical history that includes someone else’s allergies, blood type, or prescriptions.
That scenario is not hypothetical; it has caused real harm in past breaches. Because the Yale New Haven breach specifically exposed medical record numbers and patient type data alongside Social Security numbers, the risk of medical identity fraud is higher than in a typical retail or financial breach. Even if your financial accounts remain untouched, enrolling in the medical data monitoring benefit is worth doing if you filed a claim.
What Comes Next for Claimants and the Broader Impact of This Settlement
Assuming the court granted final approval on March 3, the next phase involves the settlement administrator processing all valid claims, calculating individual payment amounts, and distributing funds. This process typically takes several months — claimants should not expect checks or direct deposits before mid-to-late 2026 at the earliest. If objections were raised at the hearing or if appeals are filed, the timeline could stretch further.
The $18 million settlement figure also sets a benchmark for future healthcare data breach litigation. At roughly $3.21 per affected patient before legal fees and administrative costs, the per-person recovery is modest by any measure. It reflects the ongoing tension in data breach class actions between the massive scale of harm and the practical limits of settlement funds. For the healthcare industry, this case reinforces that inadequate cybersecurity carries real financial consequences — but whether $18 million is enough to move the needle on institutional security practices remains an open question.
Frequently Asked Questions
Is it too late to file a claim for the Yale New Haven Health settlement?
Yes. The claim submission deadline was February 18, 2026, and the settlement website confirms the form is now closed. Late claims are rarely accepted without a court-approved exception.
How much will I receive if I filed a claim?
It depends on what you filed for. Documented out-of-pocket losses can be reimbursed up to $5,000. If you filed for the alternative cash payment, expect approximately $100, though the exact amount depends on how many total claims were submitted.
When will payments be sent out?
No specific payment date has been announced. If final approval was granted on March 3, 2026, fund distribution typically takes several months. Mid-to-late 2026 is a reasonable expectation, barring appeals.
Was my medical record accessed in the breach?
YNHHS stated that its electronic medical record system was not accessed. However, medical record numbers were among the data types stolen, which means your record identifier — though not the record contents — may have been exposed.
Do I need to do anything after filing my claim?
Keep your mailing address and contact information current with the settlement administrator. You can reach them at 1-877-730-7795. If you move before payments are issued, update your address to avoid missing your check.
What if I already purchased credit monitoring before the settlement?
If you bought credit monitoring or identity protection services because of this breach and kept receipts, you may have claimed those costs as out-of-pocket losses for up to $5,000 in reimbursement — assuming you filed before the deadline.
You Might Also Like
- Everything To Know About The American National Bank & Trust Data Incident Settlement Before You Submit A Claim
- Everything To Know About The Staten Island University Hospital Data Breach Settlement Before You Submit A Claim
- Yale New Haven Health Data Incident Settlement Deadline: What To Do Before February 18, 2026