Covenant Health, a Catholic healthcare provider, has reported that a cyberattack in the previous year compromised the sensitive data of 478,188 individuals.
The organization manages three hospitals, several rehabilitation centers, assisted living facilities, and community-based health and elder care services across six states: Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.
In May 2025, unauthorized actors infiltrated Covenant Health’s network, exfiltrating patient data that included names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance details, and treatment specifics such as diagnoses, treatment dates, and types of care received.
Breach notification letters were dispatched to affected individuals on New Year’s Eve, with Covenant Health providing one year of credit monitoring services to those impacted.
The investigation into the incident concluded on December 10, revealing that cybercriminals maintained access to the IT systems from approximately May 18 to May 26. Federal law enforcement agencies were informed of the attack when it occurred.
The cyberattack significantly affected two hospitals in Maine, St. Joseph Hospital and St. Mary’s Health System, as well as a St. Joseph Hospital located in New Hampshire.
St. Mary’s experienced extended wait times, and its laboratories were restricted to processing paper orders. Similarly, St. Joseph Hospital in New Hampshire reported that lab services were limited to its main campus and required a physical order for service provision.
The Qilin ransomware gang later took responsibility for the attack. This group has been implicated in previous disruptions, notably affecting numerous hospitals and clinics in London, U.K.
In 2025, the Qilin group emerged as a highly destructive ransomware operation. Its targets included multiple U.S. municipalities, the Japanese beverage company Asahi, and a major U.S. newspaper chain. Additionally, the gang executed notable attacks against the governments of Malaysia and Palau.
A study by Cisco Talos indicated that the Qilin gang released victim information approximately 40 times per month during the past year.
Cybersecurity research firm Comparitech documented over 700 Qilin attacks last year, with 118 confirmed incidents. The United States accounted for roughly half of these attacks, while France, Canada, South Korea, and Spain also experienced a significant number of organizations affected by Qilin incidents.
