Cyber Incident Victim: Covenant Health, Inc.
Date:
May 2025
Location:
United States of America
Summary
Covenant Health discovered unusual activity in its IT environment and determined that an unauthorized third party had accessed its network and obtained patient information including names, dates of birth, medical record numbers, Social Security numbers, health insurance details and treatment data. The breach affected up to 478,188 individuals. The Qilin ransomware group claimed responsibility for the incident, alleging the theft of numerous files. After initial notifications to regulators indicated a much smaller impact, further analysis revealed the larger scale of exposure. The organization subsequently mailed notices to affected individuals and offered complimentary credit monitoring and identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or about May 26, 2025, Covenant Health discovered unusual activity in its IT environment. They launched an investigation and determined that on May 18, 2025, an unauthorized third party gained access to their network. The organization first disclosed the breach to the Maine Attorney General’s Office in July 2025, reporting that 7,800 individuals were impacted. After further analysis, Covenant Health updated the Maine Attorney General’s Office on December 31, 2025, stating that 478,188 individuals may have been affected. The intrusion was discovered on May 26, 2025, and the investigation continued until December 2025.
The compromised information may have included names, dates of birth, medical record numbers, Social Security numbers, health insurance information, and treatment information. Covenant Health operates hospitals, nursing and rehabilitation centers, assisted living residences and elder care organizations across New England and parts of Pennsylvania, meaning the breach potentially affected patients across multiple states and care settings. The Qilin ransomware group claimed responsibility for the attack in June 2025, alleging that it stole more than 1.3 million files totalling approximately 850 GB. Covenant Health has not confirmed those figures but acknowledged that patient information was accessed.
In response, Covenant Health immediately discontinued access to all data systems in its hospitals, clinics and provider practices as a precaution. The organization brought in outside parties to assist with determining the cause and restoring system access. It engaged third‑party forensic specialists to investigate the incident and identify the data involved. Beginning December 31, 2025, Covenant Health started mailing notification letters to individuals whose information may have been compromised. For those whose Social Security numbers may have been involved, the organization offered complimentary credit monitoring and identity theft protection services. Additionally, Covenant Health set up a dedicated toll‑free call center to handle questions related to the breach.