Covenant Health data breach affects nearly 500,000 patients

When a healthcare data breach is first disclosed, the number of people affected is often far lower than the final tally. That figure frequently climbs as investigations continue. That’s exactly what happened with Andover, Massachusetts-based Covenant Health. The Catholic healthcare provider has now confirmed that a cyberattack discovered last May may have affected nearly 500,000 patients, a sharp increase from the fewer than 8,000 people it initially reported earlier this year.

A ransomware group later claimed responsibility for the incident, though Covenant Health has not publicly confirmed the use of ransomware. The attackers accessed names, addresses, Social Security numbers, and health information, among other sensitive data that could put patients at serious risk.

A person is using a phone

What happened in the Covenant Health breach

Covenant Health says it detected unusual activity in its IT environment on May 26, 2025. A later investigation revealed that an attacker had actually gained access eight days earlier, on May 18, and was able to access patient data during that window.

In July, Covenant Health told regulators that the breach impacted 7,864 individuals. After completing what it describes as extensive data analysis, the organization now says that up to 478,188 individuals may have been affected.

Covenant Health operates hospitals, nursing and rehabilitation centers, assisted living residences, and elder care organizations across New England and parts of Pennsylvania. That wide footprint means the breach potentially touched patients across multiple states and care settings.

In late June, the Qilin ransomware group claimed responsibility for the attack, as reported by Bleeping Computer. The group alleged it stole 852 GB of data, totaling nearly 1.35 million files. Covenant Health has not confirmed those figures, but it did acknowledge that patient information was accessed.

According to the organization, the exposed data may have included names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance details, and treatment information such as diagnoses, dates of treatment, and types of care received.

Qilin ransomware lists Covenant Health on its data leak site

Bleeping Computer

What Covenant Health is telling patients

In a notice sent to regulators and patients, Covenant Health says it engaged third-party forensic specialists to investigate the incident and determine what data was involved. The organization says its data analysis is ongoing as it continues identifying individuals whose information may have been involved.

Then there are the familiar statements every company makes after a breach, claiming they’ve strengthened the security of their IT systems to help prevent similar incidents in the future. Covenant Health says it has also set up a dedicated toll-free call center to handle questions related to the breach.

Beginning December 31, 2025, the organization started mailing notification letters to patients whose information may have been compromised. For individuals whose Social Security numbers may have been involved, Covenant Health is offering complimentary credit monitoring and identity theft protection services.

We reached out to Covenant Health, and the company confirmed the expanded scope of the incident and outlined steps being taken to notify patients and enhance security safeguards.

A person is looking at a desktop

7 steps you can take to protect yourself after the Covenant Health breach

If you received a notice from Covenant Health or if your data has been exposed in any healthcare breach, these steps can help reduce the risk of misuse.

1) Enroll in the free identity protection offered

If the organization offers you credit monitoring or identity protection, take it. These services can alert you to suspicious activity tied to your Social Security number, credit file, or identity details before real damage is done. If you’re not offered one and want to be on the safer side, you might consider getting one yourself.

Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address, and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

One of the best parts of my top pick, Aura: Identity Theft Protection, is its all-in-one approach to safeguarding your personal and financial life. Aura includes identity theft insurance of up to $1 million per adult to cover eligible losses and legal fees, plus 24/7 U.S.-based fraud resolution support with dedicated case managers ready to help restore your identity fast.

Exclusive CyberGuy deal: Save up to 68% today: Get Aura’s award-winning identity theft protection and credit monitoring for as low as $9/month when billed annually.

2) Monitor medical and insurance statements closely

Medical identity theft often shows up quietly. Review explanation of benefits (EOBs), insurance claims, and billing statements for services you don’t recognize. If something looks off, report it to your insurer immediately.

3) Place a fraud alert or credit freeze

A fraud alert tells lenders to take extra steps to verify your identity before approving credit. A credit freeze goes further by blocking new accounts entirely unless you lift it. If Social Security numbers were exposed, a freeze is usually the safer option.

4) Use a password manager

Healthcare breaches often lead to credential-stuffing attacks elsewhere. A password manager ensures every account uses a unique password, so one exposed dataset can’t unlock everything else. It also makes it easier to update passwords quickly after a breach.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

One of the best password managers out there is NordPass. It is secure, user-friendly, and uses zero-knowledge architecture with military-grade XChaCha20 encryption to protect your data. NordPass works across Windows, macOS, Linux, Android, iOS, and major browsers and includes features like:

Unlimited password storage
Secure sharing
Password health reports
Auto-fill and emergency access
Data breach monitoring to alert you if your credentials have been exposed
A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords

Use NordPass to check if your email or passwords have shown up in known data breaches, and take immediate action if they have.

CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!

5) Be cautious of phishing scams and use strong antivirus software

Breaches are frequently followed by phishing emails, texts, or calls that reference the incident to sound legitimate. Attackers may pose as the healthcare provider, an insurer, or a credit bureau. Don’t click links or share information unless you verify the source independently.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

My top pick is TotalAV.

TotalAV is easy to set up and offers real-time protection for paid users, keeping your devices safe around the clock. It includes tools to block phishing scams, remove ransomware and spyware, and clean up adware and junk files. The software also features a browser manager, system tune-up tools, and protects across Windows, Mac, Android, and iOS devices.

GET MY EXCLUSIVE CYBERGUY TOTALAV DEAL:

$19 your first year (protects 5 devices)

Please note:
1) If you're having difficulty seeing either of the above deals, do this:

- If you're on a mobile device, hold down the link above, "Copy Link", and then paste it into a private or incognito browser.

- If you're on a laptop or desktop, right click the link, "Copy Link", and then paste it into a private or incognito browser.

2) During registration you may see optional upsells you can decline. Our top pick is the core antivirus product.

3) If you need help after your purchase, you can reach TotalAV directly through their official support page here.

6) Consider a personal data removal service

Once your data leaks, it often spreads across data broker sites. Personal data removal services help reduce your digital footprint by requesting takedowns from these databases. While they can’t erase everything, they lower your exposure and make targeted fraud harder.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

Get Incogni and remove your info

Protect your household with Incogni’s Family Plan

Get Incogni’s Family Plan

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

7) Review your credit reports regularly

You’re entitled to free credit reports from all major bureaus. Check them for unfamiliar accounts, hard inquiries, or address changes. Catching fraud early makes it far easier to contain.

Related Links:

Kurt’s key takeaway

Healthcare organizations remain prime targets for cybercriminal groups because of the volume and sensitivity of the data they store. Medical records contain a mix of personal, financial, and health information that is difficult to change once exposed. Unlike a password, you cannot reset a diagnosis or treatment history. This breach also shows how early disclosures often underestimate impact. Large healthcare networks rely on complex systems and third-party vendors, which can slow forensic analysis in the early stages. As investigations continue, the number of affected individuals often climbs.

Do you think healthcare organizations do enough to protect user data? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE