Covenant Health Data Breach Hits 478,000 Patients: What Victims Should Do Now
The 30-second summary
- Covenant Health revised the impact count of its May 2025 cyberattack to nearly 478,000 patients in a filing reported by BleepingComputer this week.
- The leaked data includes names, dates of birth, Social Security numbers, medical record numbers, diagnoses, and health-insurance identifiers.
- Notification letters are now being mailed. Complimentary credit monitoring is offered but is not sufficient for a full-SSN plus medical-data breach.
- Freeze your credit, enroll an IRS IP PIN, and add a medical-identity-aware protection service this week.
What happened at Covenant Health
Covenant Health is a Tennessee-based not-for-profit health system with more than 10 hospitals and 90 outpatient facilities across the Southeast. The organization discovered unauthorized access to portions of its network in May 2025. Initial filings estimated fewer than 100,000 affected individuals. In the May 2026 revision reported by BleepingComputer, Covenant disclosed that nearly 478,000 patients are now confirmed in scope.
The revised HHS "wall of shame" listing places this breach in the top five U.S. healthcare incidents of 2025 by patient count, alongside the Change Healthcare, Ascension, and Kaiser disclosures. Covenant has not attributed the attack publicly, but ransomware-gang leak sites have been quiet on the dataset, which suggests the attackers may be holding it for private resale rather than public extortion.
What data is exposed
| Data category | Exposed? | Risk level |
|---|---|---|
| Full name | Yes | High (combined with SSN) |
| Date of birth | Yes | High |
| Social Security number | Yes | Critical |
| Medical record number | Yes | High (medical identity fraud) |
| Diagnoses / procedures | Yes | High |
| Insurance member ID | Yes | High |
| Driver's license | Subset only | Medium |
| Payment card | No reported exposure | Low |
The 48-hour victim action plan
- Freeze all three credit bureaus (Equifax, Experian, TransUnion). Free, online, and reversible. This is the single highest-impact action.
- Enroll in IRS IP PIN at IRS.gov. Stops tax-refund fraud even if the attacker has your SSN and DOB.
- Accept Covenant's free credit monitoring (it is non-exclusive, so you can stack a paid service on top).
- Request a fraud alert with one bureau; the request propagates to the other two.
- Enable 2FA on your patient portal, your insurance account, email, and banking.
- Pull a free myE-Verify and an SSA My Social Security statement to spot employment and benefit-fraud attempts.
- Save the breach notification letter for class-action and tax-loss purposes.
Why medical breaches need more than credit monitoring
Credit monitoring watches the three credit bureaus. It does not see medical identity fraud, where your MRN and insurance ID are used to file claims, fill prescriptions, or get elective procedures in your name. Medical fraud is harder to unwind because the resulting records live inside hospital systems, not at the bureaus. A full-featured identity-protection service monitors dark-web markets and adds medical-identity support.
Our five picks for Covenant Health breach victims
1. Aura
Rating: 9.5/10 · From $9/mo (family from $25/mo)
Our top pick for healthcare-breach victims. Monitors SSN, medical ID, dark web, and includes $1M identity-theft insurance per adult.
- Pros: White-glove restoration, clean mobile app, family plan coverage.
- Cons: Higher entry price than Credit Karma's free tier.
2. LifeLock by Norton
Rating: 9.2/10 · From $9.99/mo
Bundles with Norton 360 antivirus and VPN. Strong USPS address-change alerts and court-record monitoring.
- Pros: Best bundle for Norton users, strong restoration team.
- Cons: Introductory price jumps at renewal.
3. Identity Guard
Rating: 9.0/10 · From $8.99/mo
IBM Watson-powered risk scoring. Good option for families with children, whose SSNs are also in the Covenant file set.
- Pros: Competitive family pricing, social-media monitoring.
- Cons: UI feels dated.
4. IdentityForce
Rating: 8.9/10 · From $17.95/mo
Strongest medical-identity monitoring in our test. Tracks explanation-of-benefits anomalies and CMS data feeds.
- Pros: Medical-fraud focus, detailed alert triage.
- Cons: Priced higher than the category average.
5. Experian IdentityWorks
Rating: 8.7/10 · From $9.99/mo
Direct bureau access is the main draw: real-time Experian credit alerts, same-day lock/unlock, and three-bureau reports.
- Pros: Best-in-class Experian coverage.
- Cons: Three-bureau tier is extra.
Comparison: which service fits a Covenant Health victim?
| Service | Medical fraud | SSN monitoring | Insurance | Starting price |
|---|---|---|---|---|
| Aura | Yes | Yes | $1M | $9/mo |
| LifeLock | Limited | Yes | Up to $3M | $9.99/mo |
| Identity Guard | Limited | Yes | $1M | $8.99/mo |
| IdentityForce | Yes (best) | Yes | $1M | $17.95/mo |
| Experian IdentityWorks | Limited | Yes | $1M | $9.99/mo |
Frequently asked questions
How do I know if my family is covered on the mailing?
Covenant's notification letter goes to the billed guarantor for minors. If you received care for children at Covenant between 2020 and mid-2025, assume their SSNs are in scope even if you personally receive only one letter.
Is Covenant offering identity-theft insurance beyond credit monitoring?
The current notice offers 12 months of credit monitoring only. For identity-theft insurance and medical-identity protection you need to enroll separately, which is why we recommend stacking a paid service on top of the free offer.
What if the data is already on the dark web?
Assume it is. The monitoring services above notify you when your SSN, DOB, or medical-ID surfaces on known marketplaces so you can accelerate credit freezes, bank-account reviews, and IRS IP PIN enrollment before criminals operationalize the data.
Can I opt out of Covenant's future data collection?
Under HIPAA you can request an accounting of disclosures and restrict certain uses, but you cannot opt out of retention for billing and continuity-of-care records. The practical remedy is to monitor and freeze, not to pull records.