Fraud Management & Cybercrime,
Healthcare,
Industry Specific
Ransomware Group Qilin Claims to Have Stolen 852 GB of Data from a Healthcare Provider
A significant data breach impacting a New England-based Catholic healthcare network has resulted in nearly 480,000 patients being notified that their health information may have been compromised following a cyberattack in May 2025.
Ransomware group Qilin has taken responsibility for the incident affecting the Massachusetts-based Covenant Health, which announced on December 31 that the breach involved 478,188 individuals. This figure significantly exceeds Covenant’s earlier report to federal authorities in July, where the breach was estimated to affect only about 7,900 individuals.
In May, Covenant disclosed interruptions to IT systems across its clinics, hospitals, and other sites (see: Covenant Health Dealing with Cyberattack Affecting Hospitals). The organization initially detected “irregularities impacting connectivity” on May 26 and promptly restricted access to all data systems. Qilin claims to have exfiltrated 852 gigabytes of data; however, as of now, Covenant’s data has not been published on the gang’s leak site.
Reports from cyber monitoring site Ransomware.live indicate that Qilin’s listings included screenshots related to Covenant. The compromised information potentially encompasses patient names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance details, and treatment-related data.
In response to the incident, Covenant has reportedly enhanced its IT security measures to prevent similar breaches in the future. However, the organization has not yet provided additional comments regarding Qilin’s claims to Information Security Media Group.
Qilin, operating within the Russian-speaking sphere, has been tied to an increasing number of cyberattacks against healthcare entities both in the U.S. and internationally. Notably, the group was responsible for a disruptive attack in 2024 on British pathology service firm Synnovis, which significantly impacted the UK’s National Health Service, leading to widespread appointment cancellations and a notable shortage of O-negative blood due to hampered supply chains (see: Synnovis Notifying UK Providers of Data Theft in 2024 Attack).
In light of this breach, the relevant MITRE ATT&CK tactics likely include initial access through phishing or exploitation of vulnerabilities, persistence via backdoor installations, and privilege escalation to access sensitive health information. As the healthcare sector increasingly becomes a target, understanding the techniques employed is critical for organizations to bolster their defenses against such incursions.
