Yale New Haven Health 5.6M Patient Records Stolen in Ivanti VPN Exploit

• .What: China-linked group exploited Ivanti VPN zero-day with RESURGE rootkit.
• .Who: 5.6 million patients across five Connecticut hospitals.
• .Data Exposed: SSNs, medical record numbers, dates of birth, and demographics.
• .Outcome: $18M class action settlement; second major breach in two years.

On January 8, 2025, CISA issued Emergency Directive ED 25-01 ordering all federal agencies to mitigate CVE-2025-0282 - a critical stack-based buffer overflow in Ivanti Connect Secure VPN appliances that permits unauthenticated remote code execution with no user interaction.

Ivanti had disclosed the vulnerability the same week, confirming active exploitation in the wild. The vulnerability required no credentials, no social engineering, and no insider access. An attacker needed only network access to the VPN appliance's HTTPS interface.

Two months later, on March 8, 2025, attackers exploited CVE-2025-0282 against Yale New Haven Health System's Ivanti Connect Secure VPN infrastructure.

The attackers deployed RESURGE, a 32-bit Linux shared object that functions simultaneously as a backdoor, dropper, rootkit, and trojan.

RESURGE embedded itself within Ivanti's native web server infrastructure and achieved persistence by manipulating boot images, ensuring it survived system reboots and standard remediation attempts.

The malware included a dedicated log tampering module (liblogblock.so) that suppressed forensic evidence in real time.

RESURGE activated only when it detected a specially crafted TLS ClientHello message containing a specific CRC32 hash value - a covert activation mechanism that evaded standard network monitoring.

From this foothold, the attackers moved laterally across YNHHS's network and exfiltrated records for 5,556,702 patients spanning all five hospitals - Yale New Haven Hospital, Bridgeport Hospital, Greenwich Hospital, Lawrence + Memorial Hospital, and Westerly Hospital - as well as 360+ outpatient locations.

No ransomware was deployed. Patient care was not disrupted. The breach was a pure data theft operation. YNHHS reported the breach to HHS OCR within the 60-day HIPAA window. An $18 million class action settlement was reached.

This was YNHHS's second major breach in two years - the 2023 MOVEit exploitation had compromised 847,356 individuals through the same pattern: a known vulnerability in third-party network infrastructure.

• .Full names, dates of birth, and home addresses for 5,556,702 patients
• .Social Security numbers for a significant subset of affected individuals
• .Medical record numbers and patient type classifications
• .Phone numbers, email addresses, and demographic data including race and ethnicity
• .Records spanning all five YNHHS hospitals and 360+ outpatient locations

The attack exploited CVE-2025-0282, a critical stack-based buffer overflow in Ivanti Connect Secure VPN appliances that permits unauthenticated remote code execution.

Ivanti disclosed the vulnerability in January 2025. CISA issued an emergency directive on January 8, 2025. UNC5221, the China-affiliated APT group, deployed RESURGE--a 32-bit Linux shared object functioning as backdoor, dropper, rootkit, and trojan.

RESURGE monitors TLS connections and activates only when it detects a specially crafted TLS ClientHello message containing a specific CRC32 hash value. It includes a dedicated log tampering module (liblogblock.so) and survives reboots by manipulating boot images.

YNHHS reported the breach to HHS OCR within the 60-day HIPAA requirement. The $18 million class action settlement provides up to $5,000 per individual for documented losses. This is YNHHS's second major breach--the 2023 MOVEit exploitation compromised 847,356 individuals.

Two major breaches within two years involving exploitation of known vulnerabilities in third-party network infrastructure establishes a pattern regulators will scrutinize.

CISA issued an emergency directive on January 8, 2025. Ivanti published the advisory the same week. Two months later, Yale New Haven Health System was breached through the same vulnerability.

This is the second time in two years that YNHHS lost patient data through a known vulnerability in third-party network infrastructure - the 2023 MOVEit breach compromised 847,356 individuals through the same pattern. The failure is not that a zero-day existed.

The failure is that a healthcare system managing 5.6 million patient records did not treat a CISA emergency directive as what it is: an order to act immediately.

Vulnerability management for internet-facing network appliances must operate on emergency timelines. When CISA issues an emergency directive for a VPN appliance with a CVSS critical score and confirmed active exploitation, the response window is hours, not weeks.

Ivanti Connect Secure appliances should have been either patched or isolated from production traffic within 48 hours of ED 25-01. Automated vulnerability scanning from Qualys, Tenable, or Rapid7 must continuously monitor external attack surfaces, with critical findings triggering automated ticketing and escalation to the CISO. The difference between YNHHS and organizations that were not breached through CVE-2025-0282 is not awareness - the directive was public - but the speed of response.

A 48-hour patching window closes the door. A two-month patching window leaves it open for exactly the actors who are watching.

RESURGE achieved persistence by manipulating Ivanti's boot images and suppressed forensic evidence through its liblogblock.so log tampering module. Standard endpoint protection tools do not operate at the firmware or boot image level on network appliances.

Integrity monitoring using tools such as Tripwire or OSSEC must be deployed on VPN appliance file systems to detect unauthorized modifications to boot images, web server binaries, and shared objects.

Ivanti's own Integrity Checker Tool (ICT) was specifically designed to detect this class of manipulation - CISA's advisory explicitly recommended running ICT as part of the mitigation protocol.

Organizations that ran ICT after patching would have detected RESURGE. Organizations that patched without verifying integrity may have patched over a persistent backdoor.

The attackers moved from the VPN appliance to patient record systems containing 5.6 million records across five hospitals.

This lateral movement path - from a network edge device to clinical data repositories - indicates insufficient network segmentation between the VPN termination zone and the healthcare data environment.

VPN appliances must terminate into a DMZ segment with no direct access to clinical databases, EHR systems, or patient record repositories.

East-west traffic between the DMZ and the clinical network must traverse a next-generation firewall with deep packet inspection and behavioral analysis.

Network Detection and Response (NDR) platforms such as Darktrace, Vectra, or ExtraHop detect lateral movement patterns - credential reuse, unusual data access volumes, and protocol anomalies - that perimeter controls miss entirely.

The exfiltration of 5.6 million patient records - including Social Security numbers - produced no automated alert.

Data Loss Prevention (DLP) controls scoped to healthcare data patterns (SSN formats, medical record number structures, patient demographic schemas) must monitor all egress paths from the clinical network.

Bulk data transfers exceeding defined thresholds should trigger automatic blocking and SOC escalation. The absence of DLP meant that the entire patient database could be exfiltrated without triggering a single control between the attacker and the internet.

For a healthcare system that had already been breached through MOVEit 18 months earlier, the absence of DLP on clinical data egress paths is not an oversight - it is a pattern of underinvestment in data-centric security that regulators will continue to scrutinize.

Yale New Haven Health System Notice, HIPAA Journal, Healthcare Dive, CISA MAR-25993211-r1.v1, Ivanti Security Advisory, Mandiant/Google UNC5221 Analysis, CISA Emergency Directive ED 25-01