Covenant Health Data Breach Lawsuit, 478,000 Patients Face Identity Theft Risk After Ransomware Attack—What You Need to Know
Covenant Health confirmed a May 2025 cyberattack exposed sensitive information of 478,188 patients across New England and Pennsylvania, triggering class action lawsuits and law firm investigations. The Qilin ransomware group claimed responsibility, allegedly stealing 852 GB of data including Social Security numbers, medical records, and treatment details.
The healthcare network discovered the breach on May 26, 2025, but hackers had already accessed systems since May 18. Initially reported as affecting 7,864 people in July 2025, the breach scope expanded dramatically after further investigation, with notification letters sent December 31, 2025.
What Data Was Stolen
The exposed information may include names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, and treatment details such as diagnoses, dates of treatment, and type of treatment, according to Covenant Health’s official breach notification.
The Qilin ransomware group posted the stolen data on its dark web leak site after Covenant Health reportedly refused to pay ransom demands. Healthcare data commands premium prices on criminal marketplaces because it contains everything needed for medical identity theft, insurance fraud, and financial crimes.
The attackers accessed names, addresses, Social Security numbers and health information, among other sensitive data that could put patients at serious risk. Unlike credit card numbers that can be canceled and reissued, Social Security numbers and medical histories cannot be changed, creating permanent identity theft vulnerability.
Class Action Lawsuits Filed
A class action lawsuit was filed in June 2025 against Covenant Health and St. Joseph Hospital, accusing the healthcare network of failing to properly protect patient records. Law firm Schubert Jonckheer & Kolbe announced January 8, 2026, it is investigating the breach on behalf of affected patients.
If your personal information was impacted by this incident, you may be at risk of identity theft and other serious violations of your privacy. As a result, you may be entitled to money damages and an injunction requiring changes to Covenant’s cybersecurity practices, according to the law firm’s investigation announcement.
The lawsuits allege Covenant Health failed to implement adequate cybersecurity measures and delayed notifying affected patients. The eight-day gap between when hackers gained access (May 18) and when Covenant discovered the breach (May 26) allowed extensive data theft. The five-month delay before notifying most patients raises additional questions about notification timeliness.
Which Patients Are Affected
The breach impacts patients of Covenant Health facilities including St. Joseph Hospital of Nashua, St. Joseph Healthcare in Bangor, Maine, and St. Mary’s Health System in Lewiston, Maine. 284,529 Maine residents represent over half the total affected population.
Covenant Health operates hospitals, nursing and rehabilitation centers, assisted living residences, and elder care organizations across Massachusetts, Maine, New Hampshire, Pennsylvania, Rhode Island, and Vermont. Anyone who received healthcare services at these facilities and had their information stored in Covenant’s IT systems may be affected.
Similar to the Nelnet data breach class action lawsuit, which resulted in a $10 million settlement paying up to $5,000 for documented losses, Covenant Health breach victims may be eligible for compensation if lawsuits reach settlement.
What You Must Know
Covenant Health is offering 12 months of free identity protection services through Experian IdentityWorks to affected individuals whose Social Security numbers were compromised. However, one year of monitoring may be insufficient given the permanent nature of stolen Social Security numbers and medical data.
The breach notification timeline raises concerns. Covenant discovered the attack May 26, 2025, but didn’t notify the first group of affected patients until July 11, 2025—a 46-day delay. The majority of patients (over 470,000) didn’t receive notification until December 31, 2025—more than seven months after the breach occurred.
Healthcare data breaches carry unique risks beyond financial identity theft. Criminals can use stolen medical information to obtain prescriptions, file fraudulent insurance claims, or create fake medical identities. Medical identity theft victims often face difficulty correcting fraudulent medical records that could affect their future care.
The Qilin ransomware group has targeted healthcare organizations globally, including a highly disruptive 2024 attack on British pathology firm Synnovis that forced thousands of appointment cancellations at London hospitals. The group’s continued operation demonstrates the persistent threat to healthcare cybersecurity.
What to Do Next
If you received a breach notification from Covenant Health, activate the free Experian IdentityWorks monitoring immediately. Call 1-855-361-0344 Monday through Friday between 9 a.m. and 9 p.m. Eastern Time for assistance enrolling.
Place fraud alerts with the three major credit bureaus (Equifax, Experian, TransUnion). A fraud alert requires creditors to verify your identity before opening new accounts in your name. Consider a credit freeze for stronger protection—it prevents anyone from accessing your credit report to open new accounts.
Review all explanation of benefits statements from your health insurance provider carefully. If people see any services they did not receive, they should immediately contact their provider or insurance company. Medical identity theft often goes undetected for months or years.
Monitor your credit reports from all three bureaus for unauthorized accounts or inquiries. You’re entitled to one free credit report annually from each bureau through AnnualCreditReport.com. Stagger your requests throughout the year for continuous monitoring.
File your taxes early in 2026. Tax-related identity theft occurs when criminals use stolen Social Security numbers to file fraudulent returns and claim refunds. Filing early prevents criminals from filing before you.
Joining the Lawsuit
Multiple law firms are investigating claims on behalf of affected patients. Contact attorneys handling Covenant Health breach cases if you want to join the litigation. Most data breach class actions operate on contingency—attorneys receive payment only if you win, with no upfront costs.
Document any identity theft, fraud, or expenses related to the breach. Save receipts for credit monitoring services, time spent resolving fraudulent accounts, and any financial losses. Detailed documentation strengthens potential claims.
Similar to the 23andMe lawsuit, which offered up to $10,265 for documented financial harm from a data breach, Covenant Health settlements may provide compensation tiers based on harm severity and documentation.
Frequently Asked Questions
How do I know if I’m affected by the Covenant Health breach?
Covenant Health sent notification letters to affected patients via mail around December 31, 2025. If you received healthcare services at St. Joseph Hospital (Nashua or Bangor), St. Mary’s Health System (Lewiston), or other Covenant Health facilities and haven’t received notification, call 1-855-361-0344 to verify your status.
Is there a settlement I can file claims for?
Not yet. The June 2025 class action lawsuit is still in early litigation stages. No settlement has been reached. Data breach class actions typically take 2-4 years from filing to settlement approval and payment distribution.
What compensation might I receive?
Compensation depends on whether lawsuits reach settlement and the settlement terms. Typical data breach settlements pay base amounts ($20-$75) for all class members plus higher amounts ($2,500-$10,000+) for documented identity theft, fraud losses, or monitoring expenses.
Should I accept the free credit monitoring?
Yes, enroll immediately even if you plan to join the lawsuit. Accepting free monitoring doesn’t prevent you from participating in class action litigation or pursuing individual claims. The monitoring helps detect identity theft early when remediation is easier.
What if I already experienced identity theft?
Document everything: fraudulent accounts, credit inquiries, time spent resolving issues, financial losses, and correspondence with creditors. Report identity theft to the FTC at IdentityTheft.gov to create an official recovery plan. Contact attorneys investigating the breach about potential individual claims for substantial damages.
Can I still receive care at Covenant Health facilities?
Yes. The breach affects past patient data, not current healthcare services. You can continue receiving care at Covenant Health facilities. However, ask about enhanced security measures the organization implemented to prevent future breaches.
How long am I at risk for identity theft?
Indefinitely. Social Security numbers and medical information cannot be changed like passwords or credit cards. Criminals can exploit stolen data months or years after a breach, requiring long-term vigilance and monitoring.
Last Updated: January 18, 2026
Disclaimer: This article provides information about the Covenant Health data breach lawsuit for educational purposes only and does not constitute legal advice.
CTA: If you received a Covenant Health breach notification, enroll in free identity monitoring immediately and consult with attorneys about potential legal claims.
Stay informed, stay protected. — AllAboutLawyer.com
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah