Covenant Health Discloses Massive Data Breach Affecting Nearly 500,000 Patients
Covenant Health, a Massachusetts-based Catholic healthcare system serving New England and parts of New York, has reported a major data breach impacting 478,188 individuals, with over half residing in Maine. The incident, stemming from a network intrusion in May 2025, exposed sensitive personal and medical information, triggering regulatory notifications and identity protection measures.
The breach was detected on May 26, 2025, after unusual activity was observed in Covenant Health’s IT systems. A forensic investigation by an unnamed third-party cybersecurity firm revealed that an unauthorized actor had gained access to the network eight days earlier, on May 18. The intruder accessed a range of patient data, including:
- Full names
- Addresses
- Dates of birth
- Social Security numbers
- Medical record numbers
- Health insurance details
- Treatment information (diagnoses, service dates)
Covenant Health completed its internal review in December 2025 and began notifying affected individuals in two phases—first in July 2025 and again on December 31, 2025. The organization has since implemented remediation efforts, including system restoration, forensic analysis, and law enforcement engagement. As a precaution, affected patients are being offered a free one-year membership to Experian IdentityWorks, covering credit monitoring, fraud consultation, and identity theft restoration.
While no evidence of data misuse has been reported, the breach underscores the ongoing risks to healthcare data security, particularly for organizations subject to HIPAA and state privacy regulations. Covenant Health has set up a dedicated call center to address patient inquiries related to the incident.
Source: https://cyberinsider.com/covenant-health-data-breach-impacts-nearly-480000-patients/
Covenant Health (MA) cybersecurity rating report: https://www.rankiteo.com/company/covhealth
"id": "COV1767368358",
"linkid": "covhealth",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '478,188',
'industry': 'Healthcare',
'location': 'Andover, Massachusetts, USA',
'name': 'Covenant Health',
'type': 'Healthcare System'}],
'attack_vector': 'Network Intrusion',
'customer_advisories': 'Free one-year membership to Experian IdentityWorks '
'for affected patients, including credit monitoring, '
'fraud consultation, and identity theft restoration '
'services',
'data_breach': {'number_of_records_exposed': '478,188',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Full names',
'Addresses',
'Dates of birth',
'Social Security numbers',
'Medical record numbers',
'Health insurance details',
'Treatment information '
'(diagnoses and service dates)']},
'date_detected': '2025-05-26',
'date_publicly_disclosed': '2025-12-31',
'description': 'Covenant Health, a Catholic healthcare system, disclosed a '
'significant data breach affecting 478,188 individuals, with '
'over half of those impacted residing in Maine. The breach '
'resulted from a network intrusion in May 2025, exposing '
'sensitive personal and medical data.',
'impact': {'data_compromised': 'Sensitive personal and medical data',
'identity_theft_risk': 'High',
'systems_affected': 'IT environment'},
'investigation_status': 'Completed',
'recommendations': 'Monitor insurance claims and credit activity for '
'suspicious behavior',
'references': [{'source': 'Maine Attorney General’s Office'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': 'Maine Attorney '
'General’s Office'},
'response': {'communication_strategy': 'Notices filed with Maine Attorney '
'General’s Office, dedicated call '
'center established',
'containment_measures': 'Securing and restoring IT systems',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'remediation_measures': 'Forensic review by cybersecurity '
'experts',
'third_party_assistance': 'Unnamed cybersecurity firm'},
'title': 'Covenant Health Data Breach',
'type': 'Data Breach'}