Covenant Health Ransomware Attack Victim Count Increases by 5,980%
Covenant Health has provided an update on the number of individuals affected by its May 2025 ransomware attack, confirming that at least 478,188 individuals were affected, a 5,980% increase from the previously reported total of 7,864 individuals. In a notification letter sent to the Maine Attorney General, issued on Covenant Health’s behalf by its legal counsel, Baker & Hostetler LLP, additional notification letters started to be mailed on December 31, 2025, including notifications to 284,529 Maine residents.
Baker & Hostetler explained that after the initial data breach report was submitted on July 11, 2025, the investigation continued, and the bulk of its data analysis has now been completed, suggesting the total may increase further by the time the investigation is concluded. The ransomware attack was detected on May 26, 2025, when suspicious activity was observed within its IT environment, and the investigation confirmed that an unauthorized third party had access to its network from May 18, 2025, and was able to access files containing patient information.
The compromised data types vary from individual to individual and include name in combination with one or more of the following: address, date of birth, medical record number, Social Security number, health insurance information, diagnosis, date(s) of treatment, and treatment type(s). As previously reported, the Qilin ransomware group claimed responsibility for the attack.
Baker & Hostetler has confirmed that Covenant Health is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved, and that steps have been taken to strengthen the security of its IT environment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
July 14, 2025: Covenant Health: 7,864 Individuals Affected by May 2025 Ransomware Attack
Covenant Health has published a substitute breach notice about its recent cyberattack and has started issuing notification letters to the affected individuals. While there is no data breach report currently showing on the HHS’ Office for Civil Rights breach portal, the Maine Attorney General has been informed that the personal and protected health information of 7,864 individuals was compromised in the incident, including 4,659 Maine residents.
The breach notification letters confirm that suspicious activity was identified within its computer network on May 26, 2025. Immediate action was taken to secure and restore the affected systems and investigate the incident to determine its source, extent, and whether patient data was compromised. Covenant Health has confirmed that an unnamed threat actor gained access to parts of its network on May 18, 2025, and “was able to access some patient information.”
The notification letters state that, on June 25, 2025, Covenant Health learned that the data of 4,659 Maine residents was exposed and potentially stolen. The compromised data includes names, addresses, dates of birth, medical record numbers, Social Security numbers, diagnosis information, treatment information, and health insurance information. A detailed review is ongoing to determine whether further data was compromised, and the notice may be supplemented at a later date if that turns out to be the case.
Notification letters started to be sent to the 7,864 affected individuals on July 11, 2025, and complimentary credit monitoring and identity theft protection services have been made available. Patients of St. Joseph Hospital, the Bangor Nursing and Rehabilitation Center, St. Mary’s Health System, St. Mary’s d’Youville Pavilion in Lewiston, and St. Andre Health Care in Biddeford are known to have been affected by the incident. Covenant Health said it has made updates to its network to improve security and prevent similar incidents in the future. The notification letters do not state the name of the threat group or whether ransomware was used.
The Qilin threat group claimed responsibility for the attack. The group’s tactics, techniques, and procedures involve data theft and file encryption with ransomware, and when the ransom is not paid, data is leaked on its dark web data leak site. While Covenant Health was initially listed on the site, the listing has been removed, which indicates the ransom was paid.
May 30, 2025: Covenant Health Cyberattack Affecting New England Hospitals
Covenant Health, an Andover, ME-based Catholic healthcare provider serving New England and parts of Pennsylvania, is dealing with a cyberattack that has been causing connectivity issues across its network. The health system first started experiencing connectivity issues on May 26, 2025. The decision was taken to shut down data systems across the entire network, including at its hospitals, clinics, and provider practices. Covenant Health has confirmed that the connectivity issues were caused by a cyberattack by an outside group.
Covenant Health has engaged best-in-class cybersecurity experts to assist with the investigation and help with the restoration of system access. The investigation is still in the early stages, so it is unclear if patient data has been stolen. The health system has not stated whether ransomware was used, and no threat group has currently claimed responsibility for the attack. Covenant Health is working to provide healthcare services as normal, and there has been little impact on its post-acute care facilities, as they operate on different systems. Staff are working around the clock to resolve the issues and restore systems and services as quickly as possible. Patients have been advised to keep their appointments.
The website of St. Joseph Hospital in Nashua, New Hampshire, states that the hospital is experiencing a temporary system issue that may affect phones and Internet access, warning that some services may be unavailable. When the attack was detected, the decision was taken to divert some ambulances to other hospitals in the area out of an abundance of caution, and patients requiring certain services, such as medical imaging, have been taken to other facilities. The incident has affected its outpatient lab services, which are only being provided at the main hospital campus, and then only with a physical order in hand. Two Maine hospitals are also known to have been affected, St. Joseph Hospital in Bangor, and St Mary’s Hospital in Lewiston.
This post will be updated when further information becomes available.
