Cyber Incident Victim: Yale New Haven Health
Date:
Aug 2022
Location:
United States of America
Summary
Yale Medicine experienced a cybersecurity incident involving unauthorized access to a legacy medical records system containing patient information from a physician's prior private practice, acquired before integration into their secure environment. An external actor compromised a computer associated with the pre-acquisition records, deploying malicious software that encrypted files and potentially exposed data from patients treated during the physician's independent operation. The organization confirmed its post-acquisition electronic health records remained unaffected but could not definitively rule out unauthorized access to the legacy files during the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Yale Medicine experienced a cybersecurity incident involving patient records from Dr. Tito Vasquez’s former practice, Connecticut Plastic Surgery Group LLC. The breach affected records of patients treated between 2009 and May 2021, prior to Yale Medicine’s acquisition of the practice. After acquiring the practice in May 2021, Yale securely migrated all post-acquisition records to its own medical record system, which remained unaffected. The pre-acquisition records remained on a separate computer system maintained by the former practice. On September 12, 2022, Yale discovered that an unauthorized third party had accessed this legacy computer system on or around August 11, 2022, installing malicious software that rendered files inaccessible. The attack methodology suggested ransomware encryption, though Yale did not confirm whether a ransom demand occurred.
Yale’s investigation could not rule out unauthorized access to patient information stored on the compromised system. The impacted data included records spanning 12 years but excluded any information processed after the practice’s integration into Yale’s secure infrastructure. Yale Medicine publicly disclosed the incident, emphasizing that its primary systems were not breached. No details were provided regarding the legacy system’s security posture at acquisition, backup availability, or data recovery efforts. The notification did not specify the number of affected individuals but confirmed the exposure window and types of records involved. Yale directed patients to its official communication channels for updates but did not report regulatory actions or financial impacts resulting from the incident.