Covenant Health Faces Class Action Lawsuit Over May 2025 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Covenant Health is facing a proposed class action lawsuit over allegations that the New England healthcare system negligently failed to prevent a May 2025 cyberattack that reportedly compromised the private information of approximately 478,188 individuals.

Want to stay in the loop on class action lawsuits that matter to you? Sign up for ClassAction.org’s free weekly newsletter.

The 53-page class action lawsuit alleges that Covenant Health’s failure to adequately secure and safeguard patients’ personally identifying information and private health information has left victims “with a present and imminent lifetime risk of identity theft or fraud” because of the “massive and preventable” breach. The suit conveys that the personal information exposed in the data breach included full names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and medical diagnoses and treatments.

The filing contends that the sheer scope of the information stolen in the data breach “constitutes a dream for hackers or cybercriminals and a nightmare for plaintiffs and the class.”

The data breach lawsuit says that while Covenant did not learn of the data breach until May 26, 2025, it indicated the unauthorized third party accessed its systems as early as May 18, 2025. The delay in discovery meant “[Covenant Health] was unaware of the data breach for days while cybercriminals roamed around its systems with unfettered access to…private information.”

Per the filing, patients provided their personal information to Covenant Health “with the reasonable expectation and mutual understanding” that the healthcare provider would proactively protect the information. The case argues that Covenant “knew or should have known” that electronic medical records would be invaluable to cybercriminals; private information is frequently bought and sold on the dark web, and the case cites a study by cybersecurity firm Mimecast indicating that 90 percent of healthcare organizations experienced a data breach in 2020 alone.

Covenant Health had a duty to “properly implement basic data security practices,” the lawsuit states, and its “failure to install, implement, or maintain adequate data security measures” allowed cybercriminals to access patients’ personal data. The lawsuit goes on to elaborate that the healthcare industry typically utilizes a multitude of protections for private information:

“Best cybersecurity practices that are standard in the healthcare services include installing appropriate malware detection software; monitoring and limiting the network ports; protecting web browsers and email management systems; setting up network systems such as firewalls, switches, and routers; monitoring and protection of physical security systems; protection against any possible communications system; and training staff regarding critical points.”

Despite its legal duty to protect the highly sensitive private information in its care, Covenant Health negligently failed to implement industry-standard practices, the lawsuit argues, making the data breach “particularly egregious and foreseeable.”

The Covenant Health class action lawsuit seeks to cover all United States residents whose private information was compromised during the data breach, including all individuals who received a written data breach notice from Covenant.

Learn all about the legal process: What is a class action lawsuit?