If you received a notice from Yale New Haven Health System about a data breach that occurred in March 2025, you are likely a qualifying member of the $18 million settlement class and may be entitled to up to $5,000 in compensation for documented losses — or an estimated $100 pro rata payment if you had no out-of-pocket expenses. The settlement covers all living U.S. residents who were sent a breach notification indicating their private information may have been compromised when a criminal third party accessed YNHHS systems. For example, if you were a patient at Yale New Haven Hospital, Bridgeport Hospital, Greenwich Hospital, Lawrence + Memorial Hospital, or Westerly Hospital and received a postcard with a unique ID and PIN, you were identified as one of the 5,556,720 affected individuals. However, the claims deadline of February 18, 2026 has already passed.
If you missed that window, you cannot file a new claim, though you may still be bound by the settlement terms unless you previously opted out. The final approval hearing was scheduled for March 3, 2026 at 4:00 p.m. ET at the Richard C. Lee United States Courthouse in New Haven, Connecticut.
Table of Contents
- Who Qualifies for the Yale New Haven Health Data Incident Settlement?
- What Data Was Compromised in the Yale New Haven Health Breach?
- How the $18 Million Settlement Breaks Down for Affected Individuals
- What You Needed to File a Claim Before the Deadline
- Why This Breach Was the Largest Healthcare Data Incident of 2025
- How to Check If the Settlement Has Received Final Approval
- Protecting Yourself After a Healthcare Data Breach
Who Qualifies for the Yale New Haven Health Data Incident Settlement?
The settlement class is defined broadly. You qualify if you are a living U.S. resident who was sent a notice from YNHHS indicating that your private information may have been impacted by the March 2025 data breach. You did not need to prove that your data was actually misused — the fact that YNHHS identified you as a potentially affected individual and mailed you a notice was enough. This is a significant distinction because many data breach settlements require claimants to demonstrate actual harm, whereas this one extended eligibility to anyone whose information was potentially exposed.
There are specific exclusions. Directors, officers, and agents of Yale New Haven Health System are not eligible. Governmental entities, the presiding judge and court staff, and anyone found guilty of causing the breach are also excluded. If you fall outside those narrow categories and received the breach notice, you were automatically considered a Settlement Class Member. Worth noting: you did not need to have experienced identity theft or fraud to qualify. The settlement acknowledged that the mere exposure of sensitive data like Social Security numbers and medical record numbers creates real risk, regardless of whether that risk has materialized yet.
What Data Was Compromised in the Yale New Haven Health Breach?
On March 8, 2025, YNHHS detected suspicious activity on its network and determined that a criminal third party had gained unauthorized access to certain systems. The compromised data included names, addresses, phone numbers, email addresses, dates of birth, race and ethnicity information, patient types, medical record numbers, and in some cases, Social Security numbers. That combination of personal and demographic data is particularly dangerous because it provides enough information for identity thieves to open credit accounts, file fraudulent tax returns, or impersonate patients in healthcare settings. One critical detail that YNHHS emphasized: the electronic medical record system was not accessed during the breach.
This means that clinical records — diagnoses, treatment histories, prescription information, lab results — were not part of the compromised data. However, that distinction offers limited comfort to people whose Social Security numbers were exposed. A stolen SSN has a shelf life measured in years, not months, and can be used for fraud long after the initial breach. If your breach notice indicated that your SSN was among the compromised data, you should be monitoring your credit reports regardless of whether you filed a claim.
How the $18 Million Settlement Breaks Down for Affected Individuals
YNHHS agreed to pay $18 million to resolve the class action lawsuit, making it one of the largest healthcare data breach settlements of recent years. The settlement offered two payment tracks. Cash Payment A allowed class members to claim up to $5,000 for documented, unreimbursed losses directly related to the breach. This could include costs for credit monitoring services you purchased on your own, fees charged by your bank for replacing compromised cards, time spent dealing with fraudulent accounts, or professional services like hiring an identity theft resolution specialist.
Alternatively, class members who did not have documented losses could select Cash Payment B, an alternative pro rata cash payment estimated at roughly $100 per person. The actual amount depends on how many people filed claims — if fewer people filed than expected, individual payments could be higher, and vice versa. In addition to either cash payment option, all settlement class members were eligible for two years of medical data monitoring services. This is a separate benefit from standard credit monitoring because it specifically tracks whether your medical information is being used fraudulently, which is a growing concern in healthcare breaches where patient types and medical record numbers are exposed.
What You Needed to File a Claim Before the Deadline
To submit a claim, you needed the unique ID and PIN printed on the breach notice postcard that YNHHS mailed to affected individuals. Claims could be filed online at yalenewhavensettlement.com or by mailing a paper form postmarked by February 18, 2026. The online process was straightforward — enter your ID and PIN, select whether you were filing for Cash Payment A or Cash Payment B, and if choosing Payment A, upload documentation of your losses. The tradeoff between the two payment options was significant.
Payment A offered up to $5,000 but required you to gather and submit receipts, bank statements, or other proof of expenses you incurred because of the breach. Payment B required no documentation but paid substantially less — an estimated $100. For someone who spent $30 on a credit monitoring subscription and an hour on the phone with their bank, Payment B was likely the better deal. But for someone who dealt with actual identity theft, paid for credit freezes across multiple bureaus, or hired professional help, Payment A could have been worth considerably more. Unfortunately, for anyone reading this now, both options are closed — the February 18, 2026 deadline has passed.
Why This Breach Was the Largest Healthcare Data Incident of 2025
With 5,556,720 individuals affected, the Yale New Haven Health breach was the largest healthcare data breach reported in 2025. To put that number in perspective, it affected more people than the entire population of Connecticut’s two largest counties combined. The sheer scale of the breach raised questions about the adequacy of cybersecurity protections across large health systems, which manage enormous volumes of sensitive data across multiple hospitals, clinics, and affiliated providers.
One limitation of the settlement that critics pointed out is that $18 million divided among 5.5 million people works out to roughly $3.24 per person if everyone filed a claim. The estimated $100 pro rata payment assumed that only a fraction of eligible individuals would actually submit claims, which is typical — most data breach settlements see claim rates in the single digits. Still, the gap between the headline settlement figure and the per-person payout illustrates a recurring tension in data breach litigation: settlements that sound large in aggregate often translate to modest individual recoveries. The real value for many class members may be the two years of medical data monitoring rather than the cash component.
How to Check If the Settlement Has Received Final Approval
The final approval hearing was scheduled for March 3, 2026 at 4:00 p.m. ET before the U.S. District Court for the District of Connecticut, held at the Richard C.
Lee United States Courthouse in New Haven. To check the current status of the settlement — whether final approval was granted, when payments will be distributed, or whether any objections delayed the process — visit the official settlement website at yalenewhavensettlement.com or call the settlement administrator at 1-877-730-7795. Court records for the case, filed as *Yale New Haven Data Incident Litigation*, are also available through the federal court’s PACER system.
Protecting Yourself After a Healthcare Data Breach
Even with the claims deadline passed, affected individuals should take ongoing precautions. Place fraud alerts or credit freezes with all three major credit bureaus — Equifax, Experian, and TransUnion — if you have not already done so. Monitor your explanation of benefits statements from your health insurer for any services you did not receive, which could indicate medical identity theft.
The two years of medical data monitoring included in the settlement provides an additional layer of protection, but it has a finite window. Looking ahead, healthcare data breaches of this magnitude are likely to result in stricter regulatory scrutiny and potentially larger settlement demands. The YNHHS case may set a benchmark for how courts and plaintiffs’ attorneys evaluate future healthcare breach settlements, both in terms of the per-record settlement value and the types of monitoring services offered to affected individuals. If you were part of this breach, stay attentive to your financial and medical records well beyond the monitoring period.