Covenant Health Breach Exposes 478,000 Patient Records

Andover, Massachusetts-based Covenant Health has disclosed that a ransomware attack discovered last May impacted far more people than initially reported. The healthcare organization now says 478,000 individuals had their personal and medical information exposed—up from the 7,864 victims reported in July.

The Qilin ransomware group, which took credit for the attack in June 2025, claims to have stolen over 1.3 million files totaling 850GB. That data has since been published on the gang's leak site, indicating no ransom was paid.

Timeline of the Breach

The intrusion occurred on May 18, 2025. Covenant Health discovered it eight days later on May 26. What followed was a months-long investigation to determine exactly what was taken.

The first disclosure to Maine's Attorney General came in July, reporting fewer than 8,000 affected individuals. By December, that number had grown sixty-fold as forensic analysis revealed the true scope.

This kind of revision is common in healthcare breaches. Organizations often can't immediately determine what files were accessed or exfiltrated. The gap between initial estimates and final counts regularly spans orders of magnitude.

What Was Exposed

The stolen data includes both personally identifiable information and protected health information:

• Names and addresses
• Dates of birth
• Social Security numbers
• Medical record numbers
• Health insurance information
• Dates of treatment
• Diagnoses and treatment details

For healthcare organizations, this combination represents a worst-case scenario. Social Security numbers enable identity theft. Medical information enables insurance fraud. Combined, they create comprehensive identity profiles that remain valuable on criminal markets for years.

Covenant Health operates healthcare facilities across Massachusetts, Maine, New Hampshire, Pennsylvania, Rhode Island, and Vermont. The geographic spread means victims are distributed across New England and beyond.

Qilin's Healthcare Focus

Qilin has claimed responsibility for 38 confirmed ransomware attacks in 2025, plus 261 unconfirmed claims that targeted organizations haven't acknowledged. Eight of those confirmed attacks hit healthcare companies.

The gang operates a ransomware-as-a-service model, recruiting affiliates who conduct the actual intrusions. Qilin provides the ransomware tools and leak infrastructure; affiliates keep a percentage of any ransom paid.

Healthcare organizations make attractive targets because downtime directly threatens patient care. That pressure often pushes victims toward payment. When organizations refuse—as Covenant Health apparently did—the data gets dumped publicly.

Response and Remediation

Covenant Health is offering affected individuals one year of complimentary credit monitoring through Experian IdentityWorks. The package includes identity restoration services and up to $1 million in identity theft insurance.

One year of monitoring may not be sufficient given the sensitivity of the exposed data. Medical information doesn't change like credit card numbers do. A diagnosis from 2025 remains accurate—and exploitable—indefinitely.

For patients whose information was exposed, ongoing vigilance is warranted. That means watching for unexpected medical bills, monitoring insurance Explanation of Benefits statements for services not received, and considering freezing credit with all three bureaus rather than simply monitoring.

The Healthcare Sector's Ongoing Crisis

This breach arrives amid a broader healthcare security crisis. Through December 2025, 471 hacking incidents were reported to federal regulators, impacting 42.5 million people. While that's down from 2024's catastrophic 270 million affected individuals, it still represents a significant ongoing threat.

The Change Healthcare breach alone in 2024 compromised roughly one in four Americans. Attackers learned that healthcare organizations often lack the security investments of financial services or technology companies while holding data that's equally—or more—sensitive.

For healthcare security teams, the playbook is familiar but underfunded: network segmentation to limit ransomware spread, offline backups to enable recovery without payment, endpoint detection to catch intrusions early, and staff training to prevent the initial phishing or credential compromise that starts most incidents.

Covenant Health's 11-month delay between breach and full disclosure also highlights the challenge of breach forensics. Understanding exactly what was taken from complex healthcare systems takes time—time during which affected patients don't know their information may be circulating on criminal forums.