Covenant Health Data Breach Exposes SSNs & Health Info

On May 26, 2025, Covenant Health Inc. discovered unusual activity in its IT environment, prompting an investigation. Forensic specialists determined that an unauthorized party had gained access to the network as early as May 18, 2025.

According to a disclosure filed with the Maine Attorney General, the breach resulted in the exposure of sensitive information belonging to 7,864 individuals in the United States, including 4,659 residents of Maine. The compromised data includes both personally identifiable information (PII) and protected health information (PHI): names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, dates of treatment, diagnoses, and specific treatment details.

The severity of this breach is heightened by the nature of the information exposed, which can be used for identity theft or medical fraud. According to a dark web review by Claim Depot, the breach was the result of a ransomware attack attributed to the Qilin group, who claimed responsibility on a dark web posting dated June 24, 2025. The group reportedly exfiltrated data and threatened to release it unless a ransom was paid. The attack was publicized on the Tor network, a common platform for ransomware actors.

Covenant Health's response

After detecting the breach, Covenant Health Inc. took immediate steps to secure and restore its systems, engaging leading cybersecurity and forensic experts to investigate the incident. The company notified federal law enforcement and relevant regulatory agencies, and began mailing written notification letters to affected individuals on July 11, 2025, in accordance with HIPAA and state law.

To support those impacted, Covenant Health Inc. is offering a complimentary one-year membership to Experian IdentityWorks, which includes credit monitoring, identity restoration services, and up to $1 million in identity theft insurance. Affected individuals are encouraged to activate their membership, monitor credit reports, and review health insurance statements for unauthorized activity. The company has also enhanced its IT security measures to help prevent future incidents. For further assistance, a dedicated toll-free incident response line is available at 1-855-361-0344, Monday through Friday, 9 a.m. to 9 p.m. Eastern Time.

Given the ransomware nature of the attack and the types of data involved, it is especially important for affected individuals to remain vigilant against identity theft and fraud. Steps such as placing fraud alerts or security freezes with credit bureaus, monitoring financial and medical statements, and contacting authorities if suspicious activity is detected are strongly recommended.

More information about the organization can be found on the Covenant Health website.