478,188 Patients Waited 7 Months to Hear That Qilin Ransomware Stole Their Medical Records

Covenant Health runs three hospitals and a web of rehabilitation centers and assisted living facilities across Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont. On May 18, 2025, the Qilin ransomware group got inside its network. For eight days they moved through Covenant's environment, siphoning patient data before encrypting the final payload.

Covenant Health notified 478,188 patients that their records had been stolen. The notifications went out on December 31, 2025—seven months and thirteen days after the attack began.

What Qilin Stole

According to Covenant's notification letter, the attackers exfiltrated the full patient intake record set: names, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, diagnoses, treatment dates, and treatment types.

That inventory is the maximum possible damage for a healthcare breach. An attacker holding a name plus a date of birth plus a Social Security number has everything needed to file a fraudulent tax return or open a line of credit. Add a diagnosis and a treatment date and the material becomes useful for medical identity fraud—a scam where attackers bill insurance companies using the victim's coverage and leave the victim responsible for the denial appeals and corrections to their medical record. Unlike bank fraud, medical identity theft has no federal reimbursement mechanism and can take years to unwind.

The operational damage was also substantial. Lab services at St. Joseph Hospital in Maine, St. Mary's Health System in Maine, and St. Joseph Hospital in New Hampshire reverted to paper orders. Wait times increased across the network. Patients scheduled for procedures that depended on historical lab results had to retake tests. Rural hospitals, which have thinner staffing, absorbed most of the disruption.

The Qilin Playbook

Qilin is not a new name. The Russian speaking ransomware as a service group has been operating since at least 2022 and has spent 2025 on a hospital targeting spree. Cisco Talos tracked approximately 40 new victim disclosures from Qilin every month through the second half of the year. Comparitech's ransomware tracker counts more than 700 attributed attacks—118 confirmed by victims, roughly half inside the United States.

The group's 2025 resume includes the disruption of dozens of hospitals and clinics across London that left patients unable to book blood tests for weeks, the beverage giant Asahi in Japan, a major U.S. newspaper chain, and the governments of Malaysia and Palau. German political party Die Linke also fell to Qilin in late 2025, exposing donor and membership data.

The pattern is consistent: Qilin buys initial access through brokers who sell credentials harvested from infostealer logs and phishing campaigns, moves laterally through Active Directory, exfiltrates data over legitimate cloud storage services, and fires the encryption routine last. The entire intrusion chain takes between five and fourteen days in most documented cases. Covenant's eight day dwell time is on the fast end.

Why Notification Took Seven Months

HIPAA's Breach Notification Rule requires covered entities to notify affected individuals "without unreasonable delay, and in no case later than 60 days" after discovering a breach. In practice, the 60 day clock is interpreted to start after an investigation identifies which individuals were affected—not when the breach itself is discovered. That loophole is what turned a May attack into a December notification.

Covenant's timeline appears to follow the standard script: incident discovered, forensic firm engaged, forensic investigation takes several months, sample data review identifies individuals at risk, legal counsel drafts notification, notification sent. Federal law enforcement was notified at the time of the attack. Individual patients were not.

For the seven months between the breach and the notification, those 478,188 patients could not:

• Place a fraud alert on their credit files
• Freeze their credit
• Monitor for medical billing fraud
• Change the passwords on patient portals that may have shared credentials with other accounts
• Watch for phishing campaigns that reference their real medical history

Qilin's affiliates, meanwhile, had the data the whole time.

The Notification Delay Pattern

Covenant's seven month gap is aggressive but not unusual. Healthcare breach notifications routinely run four to nine months behind the incident. Kaplan waited four months to notify 230,000 students that hackers had sat on their servers for 19 days. Eurail took three months to tell 300,000 travelers that their passport numbers had been stolen. IPPC Group waited seven months after a pharmacy breach to notify 133,862 patients.

This pattern is the product of a regulatory regime that optimizes for the entity doing the disclosing, not the people whose data was lost. The 60 day clock measures from "reasonable investigation completion," and any organization with an outside law firm can extend that clock by extending the investigation. Until notification arrives, affected individuals have no standing to act on a risk they do not know exists.

A handful of states have started tightening this window. Colorado's Attorney General published enforcement guidance in 2025 arguing that the clock must start at breach discovery, not investigation completion. Montana's Consumer Data Privacy Act enforcement period ended in April 2026, opening the door to state level litigation on notification delays. No federal statute yet mirrors either change.

What Covenant Is Offering

Affected patients are being offered one year of credit monitoring. This is the template response for a breach of this magnitude, and it is almost completely mismatched to the actual risk profile.

Social Security numbers do not expire. Medical record numbers do not rotate. The scrubbed diagnoses and treatment histories will remain forensically useful to scam callers for decades. A year of credit monitoring addresses the risk that someone uses a stolen identity to open a credit card in the next twelve months. It does nothing for the risk that, in 2029, a scam caller knows the patient's medical history well enough to impersonate the hospital.

If you were a Covenant Health patient and received a notification letter, the minimum reasonable response is:

• Freeze your credit with all three major bureaus. It is free and can be thawed temporarily when you need new credit.
• Enable the credit monitoring Covenant is offering, but treat it as a minimum, not a solution.
• Review your Explanation of Benefits statements from your insurer for treatments you never received.
• File an identity theft report with the FTC at IdentityTheft.gov if any fraud appears. The report is the legal document you need to dispute medical billing.
• Be skeptical of calls and emails referencing your real medical history. A scam caller with diagnosis and treatment detail is still a scam caller. Hospitals do not ask for payment over the phone.

Healthcare Is the Softest Target

The U.S. Department of Health and Human Services logged 118 large healthcare data breaches in the first two months of 2026, affecting more than 9.6 million individuals. Hospitals cannot go offline the way a SaaS platform can absorb a Monday morning outage. Lives depend on the availability of medical records and lab results, which is exactly why ransomware groups target the sector: time pressure translates into ransom payments.

Healthcare IT budgets are also structurally small compared to financial services or tech. A regional hospital network like Covenant runs on a fraction of the security spend that a mid sized software company considers normal. The defensive stack tends to be legacy EHR systems, inconsistently patched, bolted onto an Active Directory forest that has accumulated trust relationships for two decades. Qilin and its peers know this. So does the Anubis ransomware group, which took Brockton Hospital offline earlier this month. So did the attackers who shut down 80 percent of Dutch hospitals' patient record system this April.

Until federal regulators tighten notification timelines, or until Congress passes a breach notification statute that serves the people whose data is lost rather than the entities that lost it, the pattern will repeat. The next 478,188 patients are already somewhere in a forensic firm's current engagement queue. They will hear about it around Christmas.