Active breach tracker Tewksbury, Massachusetts Disclosed July 11, 2025

Covenant Health Data Breach 2025: 478,188 Affected · Qilin Ransomware Attack · Maine, New Hampshire & Massachusetts. What To Do.

Covenant Health, a Catholic nonprofit health system serving New England, was hit by a Qilin ransomware attack in May 2025. Initial HHS OCR filing reported 7,864 affected; revised disclosures in late 2025 raised the count to 478,188 patients. Names, Social Security numbers, medical record numbers, diagnoses, treatment details, and health insurance information were exposed.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 18, 2025

access

May 26, 2025

detected

May 26, 2025

Breach detected

Jun 26, 2025

other

Jul 11, 2025

filed

Jul 11, 2025

notified

Jul 11, 2025

Disclosed publicly

Dec 31, 2025

notified

Jun 15, 2026

class-action

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnoses Dates of treatment Type of treatment

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Covenant Health, a Catholic nonprofit health system headquartered in Tewksbury, Massachusetts, was the target of a Qilin ransomware attack that gave intruders access to its IT environment for more than a week before detection. According to the entity’s own substitute notice, an unauthorized third party accessed the network on May 18, 2025, and the intrusion was detected on May 26, 2025 when network connectivity issues forced hospitals and clinics offline across New England. After a months-long forensic review, Covenant Health confirmed that 478,188 patients had personal and protected health information exposed — a figure roughly 60x larger than the 7,864-person interim count submitted to HHS in July 2025.

The Qilin ransomware-as-a-service group claimed responsibility on its leak site in late June 2025, asserting it had exfiltrated approximately 852 GB / 1.35 million files. Operations at St. Joseph Hospital (Nashua, NH), St. Joseph Healthcare (Bangor, ME), and St. Mary’s Health System (Lewiston, ME) were disrupted during the recovery period.

Timeline

  • May 18, 2025 — Unauthorized actor first accessed Covenant Health’s IT environment.
  • May 26, 2025 — Covenant Health detected suspicious activity; hospitals and clinics across New England experienced connectivity disruptions.
  • June 26, 2025 — Qilin ransomware group claimed responsibility on its dark-web leak site, alleging 852 GB / 1.35 million files exfiltrated.
  • July 11, 2025 — Initial HIPAA breach notification filed with HHS OCR listing 7,864 affected individuals; first wave of notification letters mailed.
  • December 31, 2025 — Revised disclosure filed with the Maine Attorney General raised the affected count to 478,188; second wave of notification letters began.
  • June 15, 2026 — Multiple proposed class-action complaints pending in Penobscot County Superior Court (Maine) and federal court, including McClain v. Covenant Health.

Exposed data

Per Covenant Health’s substitute notice, exposed data elements vary by individual and may include:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Medical record number
  • Diagnoses
  • Dates of treatment and type of treatment
  • Health insurance information

The combination of Social Security number with diagnosis and treatment data is the highest-risk pairing in this breach: it enables both financial identity theft and medical identity theft, and the data was confirmed exfiltrated by an extortion group with a track record of publishing stolen records.

What Covenant Health is offering

Covenant Health is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved. The enrollment code and instructions appear in each individual’s notification letter. The notice does not name the credit monitoring vendor in its public-facing version.

Class-action litigation

At least one proposed class-action complaint, McClain v. Covenant Health, has been filed in Penobscot County Superior Court in Maine, naming Covenant Health and St. Joseph Hospital (Bangor) as defendants. The complaint alleges failure to implement reasonable cybersecurity safeguards and seeks restitution, compensatory damages, and a court order requiring additional security controls. Multiple plaintiffs’ firms have publicly announced investigations.

What to do if you may be affected

If you received care at any Covenant Health hospital, clinic, rehabilitation center, or assisted-living residence in Maine, New Hampshire, Massachusetts, Pennsylvania, Rhode Island, or Vermont — including the three flagship facilities (St. Joseph Hospital of Nashua, St. Joseph Healthcare in Bangor, and St. Mary’s Health System in Lewiston) — assume your information is in scope until your individual letter confirms otherwise.

  • Enroll in the offered credit monitoring if your letter includes an activation code. Use the full term offered. This is the single biggest piece of value Covenant Health is providing at no cost.
  • Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). Freezes are free, take about ten minutes per bureau, and stop new accounts from being opened in your name.
  • Watch for medical identity theft. Review explanation-of-benefits statements from your health insurer. Unfamiliar providers, dates, or procedures can be the first sign that someone is using your medical record number to obtain care or file fraudulent claims.
  • File an IRS Identity Protection PIN. If your SSN was exposed, this prevents a thief from filing a fraudulent tax return in your name.
  • Be skeptical of unsolicited calls or emails referencing the breach. Scammers routinely impersonate breached entities. Covenant Health will not ask for payment, your full SSN, or banking information by phone or email in connection with the notification.
  • Consider joining the class action. If a settlement or judgment is reached, class members are generally bound regardless of whether they actively participated. Speak with class counsel or a consumer-protection attorney to understand your options.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.