Covenant Health data breach affects nearly 500,000 patients after revised investigation

Covenant Health, a Catholic healthcare provider based in Andover, Massachusetts, has disclosed that a cyberattack discovered in May 2025 compromised the personal and health information of nearly 500,000 individuals, sharply revising its initial estimate of the breach’s scope.

The organization confirmed that 478,188 people were affected by the intrusion, which occurred on May 18, 2025, and was discovered eight days later, on May 26. Covenant Health had first informed regulators in July that approximately 7,800 individuals were impacted, but a prolonged forensic investigation revealed a far wider exposure.

Covenant Health operates hospitals, nursing and rehabilitation centers, assisted living residences, and elder care organizations across New England and parts of Pennsylvania, with facilities in Massachusetts, Maine, New Hampshire, Pennsylvania, Rhode Island, and Vermont. The cyberattack led to system shutdowns across hospitals, clinics, and medical practices, affecting some outpatient laboratories and facilities in New Hampshire and Maine. Patient care continued during the disruption, and patients were advised to keep scheduled appointments.

Following the discovery of the breach, Covenant Health engaged third-party forensic specialists to determine how attackers accessed its systems and what information was affected. The organization said it has completed the bulk of its analysis, though the overall review remains ongoing and no timeline has been provided for its conclusion.

The compromised data may include patient names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, and treatment details such as diagnoses, dates of care, and types of treatment. Covenant Health has stated that it has strengthened the security of its IT environment to help prevent similar incidents in the future.

In June 2025, the Qilin ransomware group publicly claimed responsibility for the attack, stating that it had stolen approximately 850 gigabytes of data comprising more than 1.3 million files. Data allegedly taken from Covenant Health has since been made public by the cybercrime group, indicating that a ransom was not paid.

Covenant Health began mailing breach notification letters to affected individuals on Dec. 31, 2025. The organization also notified the Maine Attorney General’s Office that same day, updating regulators on the revised total number of impacted individuals. The notification stated that letters were sent in compliance with federal and state data breach notification requirements.

As part of its response, Covenant Health is offering affected individuals 12 months of free identity protection and credit monitoring services to help detect potential misuse of their information. The organization has also established a dedicated toll-free call center to address questions related to the incident.