Active breach tracker Texas Disclosed May 28, 2025

Covenant Surgical Partners Data Breach 2025: 88,609 Affected. Business-Associate Hack Notified Through Your ASC. Class-Action Investigations Open. What To Do

Covenant Surgical Partners, Inc. d/b/a Covenant Physician Partners, an ambulatory surgery center management company under USPI/Tenet Healthcare, filed a HIPAA breach with HHS OCR on May 28, 2025 affecting 88,609 individuals. The OCR record lists Covenant as a Business Associate, so notification letters reach patients through their surgery center, not from Covenant directly. Multiple plaintiff firms have opened investigations; no class action has been confirmed filed as of this update.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 28, 2025

Filed with HHS OCR: 88,609 individuals, Hacking/IT Incident on Network Server, role Business Associate, state TX

Jun 10, 2025

Strauss Borrelli PLLC publicly announces investigation of the Covenant Physician Partners breach

Jun 20, 2025

HIPAA Times publishes coverage; notes absence of public substitute notice from Covenant or parent USPI/Tenet

Jun 24, 2025

Lynch Carpenter, LLP issues investigation notice; identifies exposed categories as name, DOB, contact info, medical records, payment, insurance

Sep 24, 2025

ClassAction.org closes its investigation page with no class action complaint confirmed filed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical records

03

Contact & insurance

Phishing + targeted scams

Full name Contact information (address, phone, email) Health insurance information Payment information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter, LLP (investigation) Levi & Korsinsky, LLP (investigation) Strauss Borrelli PLLC (investigation) Shamis & Gentile P.A. (investigation) Siri & Glimstad LLP (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Covenant Surgical Partners, Inc., doing business as Covenant Physician Partners, filed a HIPAA breach notification with the HHS Office for Civil Rights on May 28, 2025, reporting 88,609 affected individuals in a Hacking/IT Incident at a network server. The OCR record lists the entity’s role as Business Associate with the covered-entity type recorded against Texas. That role classification is the most important fact on the page for affected patients: notification letters do not arrive from Covenant. They arrive from the ambulatory surgery center or physician practice that contracted with Covenant for back-office services.

Timeline

  • May 28, 2025. Covenant Surgical Partners, Inc. files with HHS OCR. The portal records 88,609 affected individuals, breach type Hacking/IT Incident, location of breached information Network Server, and role Business Associate.
  • June 10, 2025. Strauss Borrelli PLLC publicly announces an investigation into the Covenant Physician Partners breach.
  • June 20, 2025. HIPAA Times publishes trade coverage and notes the absence of a public substitute notice from Covenant or parent companies USPI and Tenet Healthcare.
  • June 24, 2025. Lynch Carpenter, LLP issues an investigation notice on GlobeNewswire and identifies exposed categories: name, date of birth, contact information, medical records, payment information, and health insurance information.
  • Through 2025. Additional plaintiff firms open investigations: Levi & Korsinsky LLP, Shamis & Gentile P.A., and Siri & Glimstad LLP. Covenant notifies state attorneys general in at least 14 states and files with the SEC. No class action has been confirmed filed as of this update.

The breach incident date itself, the attacker, and the technical attack vector have not been publicly disclosed by Covenant or its parent companies.

What was exposed

Per the Lynch Carpenter investigation notice (June 24, 2025) and corroborating HIPAA Times coverage, the data elements involved include:

  • Full name
  • Contact information (address, phone, email)
  • Date of birth
  • Medical records
  • Health insurance information
  • Payment information

ClaimDepot, which aggregates state AG portal disclosures, additionally lists Social Security numbers and government IDs as affected data types. This is consistent with the breadth of multi-state AG filings Covenant made, which typically include the state-specific notification letters. However, neither Covenant nor USPI has published a public notice confirming SSN exposure, and the entity’s own notification letter text has not been independently extracted from any state AG portal as of this update. Treat the SSN claim as unconfirmed until the entity issues a public notice or a state AG portal notice is extracted and reviewed.

The OCR portal entry by itself does not enumerate data elements. The breakdown above comes from the plaintiff-firm investigation notices, which typically work from copies of the notification letters mailed to affected patients.

Who’s notifying you, your surgery center, not Covenant

Covenant Surgical Partners d/b/a Covenant Physician Partners is a back-office and management company for ambulatory surgery centers and physician practices. It provides HR, billing, compliance, IT, clinical services, accounting, payroll, and payor relations to the surgical practices it owns or manages. The patients whose data was exposed are patients of those downstream surgery centers, not direct patients of Covenant.

Under HIPAA, when a business associate has a breach, the BA may either notify affected individuals itself or delegate that duty to the covered entity. Covenant has taken the second path. Most affected patients will receive a letter on letterhead from the surgical center or physician practice where they were treated, with a reference to a third-party service provider or vendor.

The practical signal in the mailbox is the envelope. A letter in 2025 or 2026 from an ambulatory surgery center referencing a “data security incident” or an “incident involving a service provider” is the typical form. Covenant has not published a substitute notice on its own website or its parent company’s website.

Covenant was acquired by United Surgical Partners International (USPI), a subsidiary of Tenet Healthcare, in July 2024. The company was headquartered in Nashville, Tennessee prior to the acquisition, where it was founded in 2005 as a single and limited-specialty ASC operator before rebranding as Covenant Physician Partners in 2020. USPI operates a network of approximately 535 surgical facilities nationally.

State AG filings

Covenant Surgical Partners notified state attorneys general across at least 14 states. ClaimDepot, which aggregates AG portal disclosures, lists filings with the California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington attorneys general, as well as a filing with the U.S. Securities and Exchange Commission. The breadth of these filings indicates that affected individuals are spread across many states, consistent with Covenant’s multi-state footprint of managed surgery centers.

The specific state-resident counts and the text of the consumer notification letters have not been independently extracted from state AG portals as of this update.

Class-action posture

As of this update:

  • Investigations open at Lynch Carpenter LLP, Levi & Korsinsky LLP, Strauss Borrelli PLLC, Shamis & Gentile P.A., and Siri & Glimstad LLP.
  • No class action complaint has been publicly confirmed filed against Covenant Surgical Partners, Inc., Covenant Physician Partners, USPI, or Tenet Healthcare in connection with this breach.
  • ClassAction.org closed its investigation page on September 24, 2025, with no filing confirmed.

Do not confuse this incident with the separate Covenant Health breach (478,000 affected, Qilin ransomware, Wickett v. Covenant Health Inc., 1:26-cv-10044, D. Mass.), which is a Maine-based hospital system and an entirely unrelated entity.

What to do

This week:

  1. Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
  2. Watch your mail. Notification letters typically follow an OCR filing by 30 to 60 days. For this incident some letters may have arrived as late as Q4 2025 or early 2026, depending on the surgery center handling delivery. Open anything from an ambulatory surgery center, physician practice, or “data incident administrator” carefully.
  3. Read the letter for credit-monitoring enrollment codes. If your letter offers complimentary credit monitoring or identity-theft protection, enroll. It is free to you and the enrollment window is finite.

This month:

  1. SSN exposure is listed in multi-state AG disclosures but not publicly confirmed by the entity notice. If your notification letter mentions SSN or government ID exposure, file IRS Form 14039 (Identity Theft Affidavit) and place a fraud alert with the Social Security Administration. Tax-refund and unemployment-insurance fraud are the most common downstream consequences of SSN exposure in healthcare breaches.
  2. Consider what flows out from here. Once exposed health data is in circulation, it is bought, enriched, and resold by data brokers and ad-tech firms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical information exposed in breaches like this is not continuously re-sold. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.

If a class action is later filed: preserve your notification letter, any envelopes, and any out-of-pocket expenses (time spent dealing with the breach, fraudulent charges, credit-report purchases, lost wages). Documented losses are the basis for higher recovery tiers in most data-breach class settlements.

We are not a law firm and this is not legal advice. We are an independent health-data privacy service.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.