Covenant Health, based in Andover, Mass.-based, has sent additional data breach notification letters to patients after completing further analysis related to a cyberattack that occurred earlier in 2025.
The health system mailed letters to affected patients, including Maine residents, on Dec. 31, according to a notice submitted to the Maine attorney general’s office, after determining their information may have been involved in the incident.
Covenant Health first detected unusual activity in its IT environment on May 26, and later determined that an unauthorized party had accessed its systems on May 18, the notice stated.
The organization initially submitted a breach notice to the Maine attorney general on July 11. After the July notice, Covenant Health continued analyzing the affected data and “completed the bulk of its data analysis,” prompting the additional notifications sent at the end of December.
The information potentially accessed includes patients’ names and one or more of the following: addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information and treatment details such as diagnoses, dates of treatment or types of treatment, according to the notice.
The breach affected 478,188 individuals, including 284,529 Maine residents, the filing stated.
Covenant Health is offering 12 months of complimentary identity protection services through Experian to individuals whose Social Security numbers may have been involved.
