Covenant Surgical Partners Data Breach 2025: 88,609 Affected. Business-Associate Hack Notified Through Your ASC. Class-Action Investigations Open. What To Do
Covenant Surgical Partners, Inc. d/b/a Covenant Physician Partners, an ambulatory surgery center management company under USPI/Tenet Healthcare, filed a HIPAA breach with HHS OCR on May 28, 2025 affecting 88,609 individuals. The OCR record lists Covenant as a Business Associate, so notification letters reach patients through their surgery center, not from Covenant directly. Multiple plaintiff firms have opened investigations; no class action has been confirmed filed as of this update.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 28, 2025
Filed with HHS OCR: 88,609 individuals, Hacking/IT Incident on Network Server, role Business Associate, state TX
Jun 10, 2025
Strauss Borrelli PLLC publicly announces investigation of the Covenant Physician Partners breach
Jun 20, 2025
HIPAA Times publishes coverage; notes absence of public substitute notice from Covenant or parent USPI/Tenet
Jun 24, 2025
Lynch Carpenter, LLP issues investigation notice; identifies exposed categories as name, DOB, contact info, medical records, payment, insurance
Sep 24, 2025
ClassAction.org closes its investigation page with no class action complaint confirmed filed
May 28, 2025
Filed with HHS OCR: 88,609 individuals, Hacking/IT Incident on Network Server, role Business Associate, state TX
Jun 10, 2025
Strauss Borrelli PLLC publicly announces investigation of the Covenant Physician Partners breach
Jun 20, 2025
HIPAA Times publishes coverage; notes absence of public substitute notice from Covenant or parent USPI/Tenet
Jun 24, 2025
Lynch Carpenter, LLP issues investigation notice; identifies exposed categories as name, DOB, contact info, medical records, payment, insurance
Sep 24, 2025
ClassAction.org closes its investigation page with no class action complaint confirmed filed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Covenant Surgical Partners, Inc., doing business as Covenant Physician Partners, filed a HIPAA breach notification with the HHS Office for Civil Rights on May 28, 2025, reporting 88,609 affected individuals in a Hacking/IT Incident at a network server. The OCR record lists the entity’s role as Business Associate with the covered-entity type recorded against Texas. That role classification is the most important fact on the page for affected patients: notification letters do not arrive from Covenant. They arrive from the ambulatory surgery center or physician practice that contracted with Covenant for back-office services.
Timeline
- May 28, 2025. Covenant Surgical Partners, Inc. files with HHS OCR. The portal records 88,609 affected individuals, breach type Hacking/IT Incident, location of breached information Network Server, and role Business Associate.
- June 10, 2025. Strauss Borrelli PLLC publicly announces an investigation into the Covenant Physician Partners breach.
- June 20, 2025. HIPAA Times publishes trade coverage and notes the absence of a public substitute notice from Covenant or parent companies USPI and Tenet Healthcare.
- June 24, 2025. Lynch Carpenter, LLP issues an investigation notice on GlobeNewswire and identifies exposed categories: name, date of birth, contact information, medical records, payment information, and health insurance information.
- Through 2025. Additional plaintiff firms open investigations: Levi & Korsinsky LLP, Shamis & Gentile P.A., and Siri & Glimstad LLP. Covenant notifies state attorneys general in at least 14 states and files with the SEC. No class action has been confirmed filed as of this update.
The breach incident date itself, the attacker, and the technical attack vector have not been publicly disclosed by Covenant or its parent companies.
What was exposed
Per the Lynch Carpenter investigation notice (June 24, 2025) and corroborating HIPAA Times coverage, the data elements involved include:
- Full name
- Contact information (address, phone, email)
- Date of birth
- Medical records
- Health insurance information
- Payment information
ClaimDepot, which aggregates state AG portal disclosures, additionally lists Social Security numbers and government IDs as affected data types. This is consistent with the breadth of multi-state AG filings Covenant made, which typically include the state-specific notification letters. However, neither Covenant nor USPI has published a public notice confirming SSN exposure, and the entity’s own notification letter text has not been independently extracted from any state AG portal as of this update. Treat the SSN claim as unconfirmed until the entity issues a public notice or a state AG portal notice is extracted and reviewed.
The OCR portal entry by itself does not enumerate data elements. The breakdown above comes from the plaintiff-firm investigation notices, which typically work from copies of the notification letters mailed to affected patients.
Who’s notifying you, your surgery center, not Covenant
Covenant Surgical Partners d/b/a Covenant Physician Partners is a back-office and management company for ambulatory surgery centers and physician practices. It provides HR, billing, compliance, IT, clinical services, accounting, payroll, and payor relations to the surgical practices it owns or manages. The patients whose data was exposed are patients of those downstream surgery centers, not direct patients of Covenant.
Under HIPAA, when a business associate has a breach, the BA may either notify affected individuals itself or delegate that duty to the covered entity. Covenant has taken the second path. Most affected patients will receive a letter on letterhead from the surgical center or physician practice where they were treated, with a reference to a third-party service provider or vendor.
The practical signal in the mailbox is the envelope. A letter in 2025 or 2026 from an ambulatory surgery center referencing a “data security incident” or an “incident involving a service provider” is the typical form. Covenant has not published a substitute notice on its own website or its parent company’s website.
Covenant was acquired by United Surgical Partners International (USPI), a subsidiary of Tenet Healthcare, in July 2024. The company was headquartered in Nashville, Tennessee prior to the acquisition, where it was founded in 2005 as a single and limited-specialty ASC operator before rebranding as Covenant Physician Partners in 2020. USPI operates a network of approximately 535 surgical facilities nationally.
State AG filings
Covenant Surgical Partners notified state attorneys general across at least 14 states. ClaimDepot, which aggregates AG portal disclosures, lists filings with the California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington attorneys general, as well as a filing with the U.S. Securities and Exchange Commission. The breadth of these filings indicates that affected individuals are spread across many states, consistent with Covenant’s multi-state footprint of managed surgery centers.
The specific state-resident counts and the text of the consumer notification letters have not been independently extracted from state AG portals as of this update.
Class-action posture
As of this update:
- Investigations open at Lynch Carpenter LLP, Levi & Korsinsky LLP, Strauss Borrelli PLLC, Shamis & Gentile P.A., and Siri & Glimstad LLP.
- No class action complaint has been publicly confirmed filed against Covenant Surgical Partners, Inc., Covenant Physician Partners, USPI, or Tenet Healthcare in connection with this breach.
- ClassAction.org closed its investigation page on September 24, 2025, with no filing confirmed.
Do not confuse this incident with the separate Covenant Health breach (478,000 affected, Qilin ransomware, Wickett v. Covenant Health Inc., 1:26-cv-10044, D. Mass.), which is a Maine-based hospital system and an entirely unrelated entity.
What to do
This week:
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
- Watch your mail. Notification letters typically follow an OCR filing by 30 to 60 days. For this incident some letters may have arrived as late as Q4 2025 or early 2026, depending on the surgery center handling delivery. Open anything from an ambulatory surgery center, physician practice, or “data incident administrator” carefully.
- Read the letter for credit-monitoring enrollment codes. If your letter offers complimentary credit monitoring or identity-theft protection, enroll. It is free to you and the enrollment window is finite.
This month:
- SSN exposure is listed in multi-state AG disclosures but not publicly confirmed by the entity notice. If your notification letter mentions SSN or government ID exposure, file IRS Form 14039 (Identity Theft Affidavit) and place a fraud alert with the Social Security Administration. Tax-refund and unemployment-insurance fraud are the most common downstream consequences of SSN exposure in healthcare breaches.
- Consider what flows out from here. Once exposed health data is in circulation, it is bought, enriched, and resold by data brokers and ad-tech firms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical information exposed in breaches like this is not continuously re-sold. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.
If a class action is later filed: preserve your notification letter, any envelopes, and any out-of-pocket expenses (time spent dealing with the breach, fraudulent charges, credit-report purchases, lost wages). Documented losses are the basis for higher recovery tiers in most data-breach class settlements.
We are not a law firm and this is not legal advice. We are an independent health-data privacy service.
Sources
- HHS Office for Civil Rights Breach Portal, the federal regulatory record of this breach.
- HIPAA Times: Covenant Surgical Partners reports breach affecting 88,609, confirms filing date, affected count, breach type, absence of public substitute notice, and identifies Siri & Glimstad LLP as a fifth investigating law firm alongside Levi & Korsinsky and Shamis & Gentile.
- Strauss Borrelli PLLC: Covenant Physician Partners Data Breach Investigation, confirms Covenant Surgical Partners d/b/a Covenant Physician Partners, business-associate scope, and notification path.
- Lynch Carpenter, LLP investigation notice (GlobeNewswire, June 24, 2025), source for the exposed-data categories cited above.
- ClassAction.org: Covenant Surgical Partners Data Breach Lawsuit Investigation, investigation page with no class action filed as of last update.
- Becker’s ASC: Covenant Surgical Partners suffers data breach affecting 88,000+, trade-press confirmation of the breach and parent-company chain (USPI/Tenet).
- Texas Attorney General Data Breach Reporting, state-law reporting framework applicable to the Texas-coded OCR filing.
- ClaimDepot: Covenant Surgical Partners Data Breach, aggregates AG portal disclosures across 14 states; source for multi-state filing scope and SSN/Government ID data-type listings. Note that SSN/Government ID categories are unconfirmed by the entity’s own published notice.
- ASC News: Covenant Surgical Partners Reports Data Breach Affecting More Than 88,000 People, trade press confirming Nashville, TN headquarters and ASC operator profile.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Times: Covenant Surgical Partners reports breach affecting 88,609
- Strauss Borrelli PLLC: Covenant Physician Partners Data Breach Investigation
- Lynch Carpenter, LLP investigation notice (GlobeNewswire, June 24, 2025)
- ClassAction.org: Covenant Surgical Partners Data Breach Lawsuit Investigation
- Becker's ASC: Covenant Surgical Partners suffers data breach affecting 88,000+
- Texas Attorney General Data Breach Reporting
- ClaimDepot: Covenant Surgical Partners Data Breach — multi-state AG disclosure list
- ASC News: Covenant Surgical Partners Reports Data Breach Affecting More Than 88,000 People
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.