Covenant Health data breach impacts 478,188 patients after May cyberattack

When a healthcare data breach is first disclosed, the number of people affected is often far lower than the final tally. That figure frequently climbs as investigations continue. 

That’s exactly what happened with Andover, Mass.-based Covenant Health. The Catholic healthcare provider has now confirmed that a cyberattack discovered last May may have affected nearly 500,000 patients, a sharp increase from the fewer than 8,000 people it initially reported earlier this year. 

A ransomware group later claimed responsibility for the incident, though Covenant Health has not publicly confirmed the use of ransomware. The attackers accessed names, addresses, Social Security numbers and health information, among other sensitive data that could put patients at serious risk.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

UNIVERSITY OF PHOENIX DATA BREACH HITS 3.5M PEOPLE

Covenant Health detected suspicious activity in late May 2025, but investigators later confirmed attackers had already accessed systems days earlier. (Kurt “CyberGuy” Knutsson)

What happened in the Covenant Health breach

Covenant Health says it detected unusual activity in its IT environment on May 26, 2025. A later investigation revealed that an attacker had actually gained access eight days earlier, on May 18, and was able to access patient data during that window.

In July, Covenant Health told regulators that the breach impacted 7,864 individuals. After completing what it describes as extensive data analysis, the organization now says that up to 478,188 individuals may have been affected.

Covenant Health operates hospitals, nursing and rehabilitation centers, assisted living residences and elder care organizations across New England and parts of Pennsylvania. That wide footprint means the breach potentially touched patients across multiple states and care settings.

In late June, the Qilin ransomware group claimed responsibility for the attack, as reported by Bleeping Computer. The group alleged it stole 852 GB of data, totaling nearly 1.35 million files. Covenant Health has not confirmed those figures, but it did acknowledge that patient information was accessed.

According to the organization, the exposed data may have included names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance details and treatment information such as diagnoses, dates of treatment and types of care received.

700CREDIT DATA BREACH EXPOSES SSNS OF 5.8M CONSUMERS

Qilin ransomware lists Covenant Health on its data leak site. (Bleeping Computer)

What Covenant Health is telling patients

In a notice sent to regulators and patients, Covenant Health says it engaged third-party forensic specialists to investigate the incident and determine what data was involved. The organization says its data analysis is ongoing as it continues identifying individuals whose information may have been involved.

Then there are the familiar statements every company makes after a breach, claiming they’ve strengthened the security of their IT systems to help prevent similar incidents in the future. Covenant Health says it has also set up a dedicated toll-free call center to handle questions related to the breach.

Beginning Dec. 31, 2025, the organization started mailing notification letters to patients whose information may have been compromised. For individuals whose Social Security numbers may have been involved, Covenant Health is offering complimentary credit monitoring and identity theft protection services.

We reached out to Covenant Health, and the company confirmed the expanded scope of the incident and outlined steps being taken to notify patients and enhance security safeguards.

DATA BREACH EXPOSES 400K BANK CUSTOMERS’ INFO

The breach exposed highly sensitive information, including names, Social Security numbers, medical records and treatment details tied to nearly half a million patients. (Kurt “CyberGuy” Knutsson)

7 steps you can take to protect yourself after the Covenant Health breach

If you received a notice from Covenant Health or if your data has been exposed in any healthcare breach, these steps can help reduce the risk of misuse.

1) Enroll in the free identity protection offered

If the organization offers you credit monitoring or identity protection, take it. These services can alert you to suspicious activity tied to your Social Security number, credit file or identity details before real damage is done. If you’re not offered one and want to be on the safer side, you might consider getting one yourself.

Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number and email address, and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com

2) Monitor medical and insurance statements closely

Medical identity theft often shows up quietly. Review an explanation of benefits (EOBs), insurance claims and billing statements for services you don’t recognize. If something looks off, report it to your insurer immediately.

3) Place a fraud alert or credit freeze

A fraud alert tells lenders to take extra steps to verify your identity before approving credit. A credit freeze goes further by blocking new accounts entirely unless you lift it. If Social Security numbers were exposed, a freeze is usually the safer option.

To learn more about how to do this, go to Cyberguy.com and search “How to freeze your credit.” 

4) Use a password manager

Healthcare breaches often lead to credential-stuffing attacks elsewhere. A password manager ensures every account uses a unique password, so one exposed dataset can’t unlock everything else. It also makes it easier to update passwords quickly after a breach.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Be cautious of phishing scams and use strong antivirus software

Breaches are frequently followed by phishing emails, texts or calls that reference the incident to sound legitimate. Attackers may pose as the healthcare provider, an insurer or a credit bureau. Don’t click links or share information unless you verify the source independently.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

6) Consider a personal data removal service

Once your data leaks, it often spreads across data broker sites. Personal data removal services help reduce your digital footprint by requesting takedowns from these databases. While they can’t erase everything, they lower your exposure and make targeted fraud harder.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

7) Review your credit reports regularly

You’re entitled to free credit reports from all major bureaus. Check them for unfamiliar accounts, hard inquiries or address changes. Catching fraud early makes it far easier to contain.

Kurt’s key takeaway

Healthcare organizations remain prime targets for cybercriminal groups because of the volume and sensitivity of the data they store. Medical records contain a mix of personal, financial, and health information that is difficult to change once exposed. Unlike a password, you cannot reset a diagnosis or treatment history. This breach also shows how early disclosures often underestimate impact. Large healthcare networks rely on complex systems and third-party vendors, which can slow forensic analysis in the early stages. As investigations continue, the number of affected individuals often climbs.

Do you think healthcare organizations do enough to protect user data? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.