On May 26, 2025, Covenant Health Inc. discovered unusual activity in its IT environment, prompting an investigation. Forensic specialists determined that an unauthorized party had gained access to the network as early as May 18, 2025.
According to a disclosure filed with the Maine Attorney General, the breach resulted in the exposure of sensitive information belonging to 7,864 individuals in the United States, including 4,659 residents of Maine. Similar disclosures were made to the New Hampshire Attorney General (2,269 residents affected) and the Massachusetts Attorney General (189 residents affected).
Additionally, a disclosure was made to the Dept. of Health and Human Services, stating 7,864 Americans had their protected health information potentially expsosed.
The compromised data includes both personally identifiable information (PII) and protected health information (PHI): names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, dates of treatment, diagnoses, and specific treatment details. The severity of this breach is heightened by the nature of the information exposed, which can be used for identity theft or medical fraud.
According to a dark web review by Claim Depot, the breach was the result of a ransomware attack attributed to the Qilin group, who claimed responsibility on a dark web posting dated June 24, 2025. The group reportedly exfiltrated data and threatened to release it unless a ransom was paid. The attack was publicized on the Tor network, a common platform for ransomware actors.
After detecting the breach, Covenant Health Inc. took immediate steps to secure and restore its systems, engaging leading cybersecurity and forensic experts to investigate the incident. The company notified federal law enforcement and relevant regulatory agencies, and began mailing written notification letters to affected individuals on July 11, 2025, in accordance with HIPAA and state law.
To support those impacted, Covenant Health Inc. is offering a complimentary one-year membership to Experian IdentityWorks, which includes credit monitoring, identity restoration services, and up to $1 million in identity theft insurance. Affected individuals are encouraged to activate their membership, monitor credit reports, and review health insurance statements for unauthorized activity. The company has also enhanced its IT security measures to help prevent future incidents. For further assistance, a dedicated toll-free incident response line is available at 1-855-361-0344, Monday through Friday, 9 a.m. to 9 p.m. Eastern Time.
Given the ransomware nature of the attack and the types of data involved, it is especially important for affected individuals to remain vigilant against identity theft and fraud. Steps such as placing fraud alerts or security freezes with credit bureaus, monitoring financial and medical statements, and contacting authorities if suspicious activity is detected are strongly recommended.
More information about the organization can be found on the Covenant Health website.
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.