Nearly 480,000 impacted by Covenant Health data breach

A cyberattack last year exposed the sensitive information of 478,188 people, the Catholic healthcare organization Covenant Health said.

Covenant Health operates three hospitals and multiple rehabilitation centers, assisted living residences, and community-based health and elder care organizations across Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island and Vermont. 

In May 2025, hackers breached the organization’s network and stole patients’ names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, and treatment information like diagnoses, dates of treatment, and types of treatment.

Covenant Health began sending breach notification letters to victims on New Year’s Eve. Victims are being offered one year of credit monitoring services. 

The organization said its investigation into the incident finished on December 10 and found that cybercriminals had access to its IT systems from May 18 until about May 26. Federal law enforcement was notified of the attack at the time. 

The cyberattack had a significant impact on two hospitals in Maine — St. Joseph Hospital and St. Mary’s Health System — and one in New Hampshire, which is also called St. Joseph Hospital.

Wait times at St. Mary’s increased and its labs were only able to process paper orders. St. Joseph Hospital in New Hampshire said lab services were only available at the main hospital campus and services could only be provided with a physical order in hand.

The attack was eventually claimed by the Qilin ransomware gang, which previously caused chaos in the U.K. after damaging dozens of hospitals and local clinics in London. 

The group was one of the most destructive ransomware operations in 2025, targeting several U.S. municipalities, Japanese beverage giant Asahi, and one of the largest newspaper chains in the United States. It also launched significant attacks on the governments of Malaysia and Palau. 

Cisco Talos published a study finding that the gang published the information of about 40 victims per month last year. 

The cybersecurity research firm Comparitech tracked more than 700 Qilin attacks last year, with 118 being confirmed. About half of the attacks targeted the U.S., while France, Canada, South Korea and Spain also had a large proportion of organizations that dealt with Qilin incidents.