Covenant Health has confirmed that a recent cyberattack may have compromised the personal information of nearly 500,000 patients, significantly more than the initial estimate of 7,864 individuals.
Covenant Health, a healthcare provider based in Andover, Massachusetts, has revealed that a cyberattack detected on May 26, 2025, may have affected nearly 500,000 patients. This figure marks a significant increase from the fewer than 8,000 individuals initially reported earlier this year.
The breach was first identified when Covenant Health noticed unusual activity within its IT environment. Investigations indicated that the attackers gained access to sensitive patient information starting May 18, 2025, eight days before the breach was officially detected.
While a ransomware group known as Qilin later claimed responsibility for the attack, Covenant Health has not confirmed whether ransomware was indeed used. The group alleged that they stole approximately 852 gigabytes of data, including nearly 1.35 million files. Covenant Health acknowledged that patient information was accessed but did not confirm the specific data volume claimed by the attackers.
The compromised information may include names, addresses, Social Security numbers, medical record numbers, health insurance details, and treatment information such as diagnoses and dates of care. This breach poses a serious risk to patients, as the exposed data can be exploited for identity theft and other malicious activities.
In July, Covenant Health informed regulators that the breach initially affected 7,864 individuals. However, following extensive data analysis, the organization has now revised that estimate to as many as 478,188 individuals potentially impacted.
Covenant Health operates a network of hospitals, nursing and rehabilitation centers, assisted living residences, and elder care organizations across New England and parts of Pennsylvania. This extensive reach means that the breach may have affected patients across multiple states and various care settings.
In response to the incident, Covenant Health has engaged third-party forensic specialists to investigate the breach and assess the extent of the data involved. The organization has stated that its data analysis is ongoing as it continues to identify individuals whose information may have been compromised.
As part of its response, Covenant Health has set up a dedicated toll-free call center to address questions related to the breach. Beginning December 31, 2025, the organization started mailing notification letters to patients whose information may have been compromised. For those whose Social Security numbers were involved, Covenant Health is offering complimentary credit monitoring and identity theft protection services.
Healthcare organizations are increasingly becoming prime targets for cybercriminals due to the sensitive nature of the data they handle. Medical records contain a combination of personal, financial, and health information that is difficult to change once exposed. Unlike passwords, which can be reset, sensitive health information cannot be altered, making it particularly valuable to attackers.
The breach at Covenant Health underscores the challenges faced by large healthcare networks, which often rely on complex systems and third-party vendors. This reliance can slow down forensic analysis in the early stages of an investigation, leading to underestimations of the breach’s impact.
As investigations continue, the number of affected individuals may rise further. Covenant Health has confirmed the expanded scope of the incident and outlined the steps being taken to notify patients and enhance security measures.
For individuals who received a notice from Covenant Health or those concerned about potential exposure in healthcare breaches, it is advisable to take proactive steps to mitigate risks. Accepting credit monitoring or identity protection services can help alert individuals to suspicious activity related to their personal information.
Additionally, monitoring personal information for signs of misuse, such as unfamiliar accounts or unauthorized transactions, is crucial. Implementing a fraud alert or credit freeze can provide added security, particularly if Social Security numbers were compromised.
As the landscape of cyber threats continues to evolve, it is essential for healthcare organizations to bolster their security measures and for individuals to remain vigilant in protecting their personal information.
According to Bleeping Computer, the Qilin ransomware group has been linked to the attack, highlighting the ongoing threat posed by cybercriminals targeting the healthcare sector.