Covenant Health suffered a ransomware attack by the Qilin group in May 2025, compromising data of over 478,000 individuals.
Covenant Health, Inc., based in Andover, Massachusetts, is a healthcare organization that provides medical services and patient care. Covenant Health operates hospitals, clinics, or related healthcare facilities in multiple states, including Massachusetts, Maine, New Hampshire, Pennsylvania, and Vermont.
Covenant Health experienced a cyberattack starting May 26, 2025, leading to a shutdown of systems across hospitals, clinics, and practices. At this time, it was unclear whether data was stolen or ransomware was employed. The organization hired top cybersecurity experts to contain and investigate the incident. Services continue with minimal disruption, though some systems and outpatient labs are affected. St. Joseph’s in New Hampshire and two Maine hospitals are also impacted. Patients are advised to keep appointments.
Now, the healthcare organization is notifying customers that their personal and health information may have been compromised as a result of the cyber attack that occurred on May 18, 2025.
Covenant Health reported that 7,800 individuals were affected by a data breach in July, but updated the total to 478,188 in December 2025.
“On December 31, 2025, Covenant Health mailed letters to patients whose information may have been involved, including the Maine residents, in accordance with the Health Insurance Portability and Accountability Act (45 CFR § 164.404) and Me. Rev. Stat. Tit. 10, §1348. A sample copy of the notification letter is enclosed. Covenant Health is offering complimentary credit monitoring and identity protection services to Massachusetts residents whose Social Security numbers may have been involved.” reads the data breach notification sent to the Maine Attorney General’s Office. “Covenant Health has also established a dedicated, toll-free call center to address questions about the incident. Covenant Health has enhanced the security of its IT environment to help prevent something like this from happening again.”
Compromised data includes patient name, date of birth, address, SSN, medical record number, health insurance information, health insurance information, and/or treatment information, such as diagnoses, dates of treatment, and type of treatment.
In June, the Qilin ransomware group claimed responsibility for the attack. The group announced the theft of 850 GB of sensitive data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, healthcare)
