Cyber Incident Victim: Covenant Health, Inc.

On May 4, 2021, unauthorized actors accessed two employee email accounts at Covenant HealthCare, a Michigan-based healthcare provider. The organization first became aware of the breach on December 21, 2020, following a forensic investigation and document review that determined the compromise date. Between May 4 and December 21, there was no public indication of when Covenant initially detected suspicious activity or whether the threat actors maintained persistent access. The investigation confirmed that the breached email accounts contained protected health information (PHI) and personally identifiable information (PII) of patients and employees, though specific data types were not disclosed. Covenant began notifying affected individuals by mail after completing its review, prioritizing cases where contact information was available. The hospital also published a breach notice on its website but did not initially disclose the number of impacted parties.

Media outlets subsequently reported on February 25, 2021, that approximately 45,000 patients and employees were affected by the incident. The breach notification process occurred between December 21 and February 24, 2021, though Covenant did not specify whether regulatory agencies received earlier alerts. No evidence emerged in available sources regarding the attackers' identity, motives, or whether extracted data was misused. The hospital's public response focused on informing affected individuals through direct mail and website announcements without detailing technical containment measures or system enhancements implemented post-breach. The compromised email accounts remained the only confirmed attack vector referenced in disclosures.