Covenant Health Cyberattack Affects More Than 478,000 Patients
Covenant Health has recently confirmed that almost half a million patients may have had some of their protected health information stolen in a May 2025 hacking incident. The New England-based catholic health system first announced that it was grappling with a cyberattack in May 2025, although it has taken several months to review the exposed data and determine how many individuals have been affected.
The cyberattack was detected on May 26, 2025, when it experienced connectivity issues across its network, resulting in disruption at several of its hospitals and clinics throughout New England. Immediate action was taken to contain the incident, and an investigation was launched to establish the nature and scope of the incident. In July, as the data breach reporting deadline was approaching, the HHS’ Office for Civil Rights (OCR) was informed that the data breach affected approximately 7,900 individuals. While the total remains unchanged on the OCR breach portal, the Maine Attorney General has received an updated breach notice indicating 478,188 individuals have been affected, including 284,529 Maine residents. That total could increase. Covenant Health stated that the bulk of the affected files have been reviewed, but the process is not yet complete.
Data known to have been compromised in the incident includes names, addresses, dates of birth, medical record numbers, Social Security numbers, diagnoses, treatment information, dates of treatment, and health insurance information. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services, and steps have been taken to improve security to prevent similar incidents in the future.
This appears to have been an attack by the Qilin ransomware group, a financially-motivated cybercriminal group that has targeted many healthcare organizations. Qilin added Covenant Health to its dark web data leak site and stated that 852 GB of data was stolen in the attack. The listing has since been removed, which usually means a ransom has been paid.