Data Breach at Covenant Health Impacts nearly 500,000 Patients, including Hundreds of Thousands in Maine

A massive data breach affecting Massachusetts-based covenant Health has impacted nearly half a million individuals, with a significant portion residing in Maine. The healthcare network, which owns facilities including St. Mary’s Health System in Lewiston and St. Joseph Healthcare in Bangor, initially detected unusual IT activity in May 2025, but the full scope of the breach was only recently revealed.

The incident began on May 18, 2025, when a hacker gained access to Covenant health’s IT system, according to an inquiry conducted with the assistance of third-party specialists. While the network initially reported a smaller number of affected individuals, a December 31, 2025, declaration substantially increased the estimated impact.

Initial Reports and Escalating Concerns

Covenant Health first alerted authorities to the suspicious activity on May 26, 2025. Shortly after, St. Mary’s Health and St. Joseph Healthcare experienced disruptions to phone systems and documentation processes, with some services becoming intermittently unavailable. “The institution worked swiftly to secure its systems and understand the extent of the compromise,” a company release stated.

Initial notifications filed with the Maine Attorney General’s Office on July 11, 2025, indicated that 7,864 people were affected, including 4,659 Maine residents.Though, a subsequent review revealed a far more extensive breach.

Nearly Half a Million Impacted

The updated notice filed on december 31, 2025, revealed that a total of 478,188 individuals were impacted by the data breach, including 284,529 Maine residents. This represents a dramatic increase from the initial estimates.

The compromised personal information varied by patient but could include names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, and detailed treatment data such as diagnoses and dates of service.The potential exposure of Social Security numbers is notably concerning, raising the risk of identity theft.

Response and Resources for Affected Individuals

Covenant Health is urging individuals whose information may have been compromised to carefully review statements from their healthcare providers and insurance plans, promptly reporting any unrecognized services. The network is offering complimentary credit monitoring and identity theft protection services to those whose Social Security numbers may have been exposed.

Patients with questions or concerns about the breach can contact a dedicated hotline at 1-855-361-0344, available from 9 a.m. to 9 p.m. Monday through Friday, excluding major U.S. holidays.

legal Action and Security Enhancements

The data breach has already triggered legal action. In June 2025, a class action lawsuit was filed against Covenant Health and Bangor’s St. Joseph Hospital,alleging a failure to adequately protect patient data.

In its December 31 statement, Covenant Health affirmed that it has taken steps to enhance the security of its IT systems to prevent future incidents. The network operates facilities across Maine, Massachusetts, New Hampshire, Rhode Island, and pennsylvania, in addition to St.mary’s Health System, St. Joseph Healthcare, St. André Health Care in Biddeford, and the Bangor Nursing and Rehabilitation center.