Covenant Health Data Breach 2025: 478,188 Affected · Qilin Ransomware Attack · Maine, New Hampshire & Massachusetts. What To Do.
Covenant Health, a Catholic nonprofit health system serving New England, was hit by a Qilin ransomware attack in May 2025. Initial HHS OCR filing reported 7,864 affected; revised disclosures in late 2025 raised the count to 478,188 patients. Names, Social Security numbers, medical record numbers, diagnoses, treatment details, and health insurance information were exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 18, 2025
access
May 26, 2025
detected
May 26, 2025
Breach detected
Jun 26, 2025
other
Jul 11, 2025
filed
Jul 11, 2025
notified
Jul 11, 2025
Disclosed publicly
Dec 31, 2025
notified
Jun 15, 2026
class-action
May 18, 2025
access
May 26, 2025
detected
May 26, 2025
Breach detected
Jun 26, 2025
other
Jul 11, 2025
filed
Jul 11, 2025
notified
Jul 11, 2025
Disclosed publicly
Dec 31, 2025
notified
Jun 15, 2026
class-action
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Covenant Health, a Catholic nonprofit health system headquartered in Tewksbury, Massachusetts, was the target of a Qilin ransomware attack that gave intruders access to its IT environment for more than a week before detection. According to the entity’s own substitute notice, an unauthorized third party accessed the network on May 18, 2025, and the intrusion was detected on May 26, 2025 when network connectivity issues forced hospitals and clinics offline across New England. After a months-long forensic review, Covenant Health confirmed that 478,188 patients had personal and protected health information exposed — a figure roughly 60x larger than the 7,864-person interim count submitted to HHS in July 2025.
The Qilin ransomware-as-a-service group claimed responsibility on its leak site in late June 2025, asserting it had exfiltrated approximately 852 GB / 1.35 million files. Operations at St. Joseph Hospital (Nashua, NH), St. Joseph Healthcare (Bangor, ME), and St. Mary’s Health System (Lewiston, ME) were disrupted during the recovery period.
Timeline
- May 18, 2025 — Unauthorized actor first accessed Covenant Health’s IT environment.
- May 26, 2025 — Covenant Health detected suspicious activity; hospitals and clinics across New England experienced connectivity disruptions.
- June 26, 2025 — Qilin ransomware group claimed responsibility on its dark-web leak site, alleging 852 GB / 1.35 million files exfiltrated.
- July 11, 2025 — Initial HIPAA breach notification filed with HHS OCR listing 7,864 affected individuals; first wave of notification letters mailed.
- December 31, 2025 — Revised disclosure filed with the Maine Attorney General raised the affected count to 478,188; second wave of notification letters began.
- June 15, 2026 — Multiple proposed class-action complaints pending in Penobscot County Superior Court (Maine) and federal court, including McClain v. Covenant Health.
Exposed data
Per Covenant Health’s substitute notice, exposed data elements vary by individual and may include:
- Full name
- Address
- Date of birth
- Social Security number
- Medical record number
- Diagnoses
- Dates of treatment and type of treatment
- Health insurance information
The combination of Social Security number with diagnosis and treatment data is the highest-risk pairing in this breach: it enables both financial identity theft and medical identity theft, and the data was confirmed exfiltrated by an extortion group with a track record of publishing stolen records.
What Covenant Health is offering
Covenant Health is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved. The enrollment code and instructions appear in each individual’s notification letter. The notice does not name the credit monitoring vendor in its public-facing version.
Class-action litigation
At least one proposed class-action complaint, McClain v. Covenant Health, has been filed in Penobscot County Superior Court in Maine, naming Covenant Health and St. Joseph Hospital (Bangor) as defendants. The complaint alleges failure to implement reasonable cybersecurity safeguards and seeks restitution, compensatory damages, and a court order requiring additional security controls. Multiple plaintiffs’ firms have publicly announced investigations.
What to do if you may be affected
If you received care at any Covenant Health hospital, clinic, rehabilitation center, or assisted-living residence in Maine, New Hampshire, Massachusetts, Pennsylvania, Rhode Island, or Vermont — including the three flagship facilities (St. Joseph Hospital of Nashua, St. Joseph Healthcare in Bangor, and St. Mary’s Health System in Lewiston) — assume your information is in scope until your individual letter confirms otherwise.
- Enroll in the offered credit monitoring if your letter includes an activation code. Use the full term offered. This is the single biggest piece of value Covenant Health is providing at no cost.
- Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). Freezes are free, take about ten minutes per bureau, and stop new accounts from being opened in your name.
- Watch for medical identity theft. Review explanation-of-benefits statements from your health insurer. Unfamiliar providers, dates, or procedures can be the first sign that someone is using your medical record number to obtain care or file fraudulent claims.
- File an IRS Identity Protection PIN. If your SSN was exposed, this prevents a thief from filing a fraudulent tax return in your name.
- Be skeptical of unsolicited calls or emails referencing the breach. Scammers routinely impersonate breached entities. Covenant Health will not ask for payment, your full SSN, or banking information by phone or email in connection with the notification.
- Consider joining the class action. If a settlement or judgment is reached, class members are generally bound regardless of whether they actively participated. Speak with class counsel or a consumer-protection attorney to understand your options.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Covenant Health — Notice of Data Security Incident — the entity’s own substitute notice.
- HIPAA Journal — Covenant Health Cyberattack — established healthcare-privacy trade press; revised victim count and Qilin attribution.
- SecurityWeek — Covenant Health Data Breach Impacts 478,000 Individuals — corroborating security-industry coverage.
- BleepingComputer — Covenant Health says May data breach impacted nearly 478,000 patients — technical reporting on the Qilin attack chain and exfiltration claim.
- The Record (Recorded Future News) — Nearly 480,000 impacted by Covenant Health breach — independent threat-intelligence reporting.
- ClassAction.org — Covenant Health Faces Class Action Lawsuit Over May 2025 Data Breach — litigation tracker covering McClain v. Covenant Health.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Covenant Health — Notice of Data Security Incident
- HIPAA Journal — Covenant Health Cyberattack (478,188 affected)
- SecurityWeek — Covenant Health Data Breach Impacts 478,000 Individuals
- BleepingComputer — Covenant Health May breach impacted nearly 478,000 patients
- The Record — Nearly 480,000 impacted by Covenant Health breach
- ClassAction.org — Covenant Health Faces Class Action Lawsuit
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.