The Massachusetts-based healthcare provider recently notified over 7,000 individuals of a data breach.
What happened
On July 11th, 2025, Covenant Health notified individuals of a data breach impacting 7,864 individuals. Covenant Health is a Catholic healthcare provider with full-service hospitals. The provider, however, listed itself as a “Business Associate” in their report to the Department of Health and Human Services (HHS). The breach was reported as a hacking incident.
According to the notice published on Covenant Health’s website, the organization first became aware of unusual activity in its IT environment on May 26th, 2025. After the discovery, the provider immediately began working to restore systems and investigate the incident. Since then, Convenant Health’s systems have been fully restored.
Going deeper
Through the investigation, Covenant Health learned that an unauthorized party gained access to its IT environment–and subsequently patient information–on May 18th, 2025. The investigation determined that the accessed information may have included patient names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information.
What’s next
Covenant Health said they began mailing notification letters on July 11th, 2025, but noted that they did not have contact information for every victim. For those whose social security numbers were compromised, the organization is also offering free credit monitoring and identity theft protection services. Covenant Health also said they will continue reviewing involved information in case additional victims are identified.
The company stated, “As part of our ongoing commitment to the privacy of personal information in our care, we have also enhanced the security of our IT environment.”
Why it matters
Although this breach may seem relatively small, it can still have a large impact on victims. More and more small organizations are being targeted in cyberattacks. This month alone, 16 organizations have reported breaches impacting less than 10,000 individuals to the HHS.
FAQs
How does a network get hacked?
A network can get hacked in a variety of ways, such as hackers figuring out the password to a network, exploiting a vulnerability within the system, or tricking an employee into giving them information (social engineering). As hackers become increasingly skilled, it’s more important than ever to have strong cybersecurity protocols and systems in place.
What can impacted patients do to protect themselves?
Impacted patients should carefully monitor their credit reports and card statements. Unfortunately, once the information is on the dark web, it can’t be taken off. Patients should also be wary of any suspicious calls, emails, or letters. While victims may not be able to prevent information from getting into the wrong hands, they may be able to take legal action against Convenant Health if they believe the incident was preventable.
Abby Grifno
