Yale New Haven Health Agrees to $18 Million Data Breach Settlement
An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians. The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information. While its electronic medical record system was not accessed,...
Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients
Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly first occurred in February 2025; however, this appears to have been a long-running issue, as one patient alleges that they were photographed in August. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated, in either a semi-nude or nude state, without the patients’ knowledge or consent. Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. According to Zazaur, the patients were informed that...
Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation
Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information. The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and...
Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members
Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack. Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals...
State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems
Penetration tests conducted on ten State Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) systems have revealed they contain vulnerabilities that could potentially be exploited in sophisticated cyberattacks. The penetration tests were conducted on behalf of the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) by a third-party penetration testing company between 2020 and 2022 to determine the effectiveness of information technology system controls in preventing attacks on web-facing MMIS and E&E systems. The penetration tests were conducted in response to an increase in cyberattacks targeting MMIS and E&E systems. These systems are attractive targets as they contain significant amounts of valuable and sensitive data. HHS-OIG has observed an increase in multiple threat types targeting these systems, including ransomware attacks, phishing, and denial-of-service attacks. Between 2012 and 2023, at least six U.S. states have experienced cyberattacks that resulted in access being gained to significant...



