Executive Summary

On May 26, 2025, Covenant Health detected unauthorized activity within its IT environment, later attributed to the Qilin ransomware group. The breach, which began on May 18, 2025, resulted in the compromise of sensitive data belonging to nearly 478,188 patients across multiple facilities. Exposed information included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment details, and health insurance information. The Qilin group claimed responsibility in late June 2025, stating that 852 GB of data and approximately 1.35 million files were exfiltrated. Covenant Health responded by engaging third-party forensic specialists, notifying affected individuals, and offering 12 months of complimentary identity protection services. The organization has since enhanced its IT security posture. This report provides a comprehensive technical analysis of the incident, the threat actor’s tactics, and evidence-based recommendations for mitigation.

Technical Information

The Covenant Health breach was executed by the Qilin ransomware group, a sophisticated threat actor known for targeting healthcare and critical infrastructure sectors. The attack chain likely began with either spearphishing or exploitation of a public-facing application, both of which are established initial access techniques for Qilin. The group’s dwell time within the environment was eight days, allowing for extensive reconnaissance, lateral movement, and data exfiltration before detection.

Qilin operates as a Ransomware-as-a-Service (RaaS) platform, leveraging malware written in Golang and Rust, and is capable of targeting both Windows and ESXi environments. Technical analysis of Qilin samples reveals the use of embedded Mimikatz modules for credential dumping, PowerShell scripts for deployment and lateral movement, PsExec for remote execution, and custom DLL injection for persistence and evasion. The ransomware employs advanced encryption algorithms, including AES-256, ChaCha20, and RSA-4096/2048, to encrypt files and inhibit system recovery by deleting shadow copies using vssadmin.exe.

The group’s tactics, techniques, and procedures (TTPs) are mapped to the MITRE ATT&CK framework and include:

• Initial access via spearphishing attachments (T1566.001), spearphishing links (T1566.002), and exploitation of public-facing applications (T1190).

• Execution through PowerShell (T1059.001) and user execution of malicious files (T1204.002).

• Persistence using registry run keys (T1547.001) and Winlogon helper DLLs (T1547.004).

• Privilege escalation by bypassing user account control (T1548.002) and access token manipulation (T1134).

• Defense evasion through disabling security tools (T1562.001), clearing event logs (T1070.001), file deletion (T1070.004), and file obfuscation (T1027.013).

• Credential access via OS credential dumping (T1003.001).

• Discovery of accounts (T1087.001), files (T1083), remote systems (T1018), and network shares (T1135).

• Lateral movement using SMB/Windows Admin Shares (T1021.002) and scheduled tasks (T1053.005).

• Impact through data encryption (T1486), inhibiting system recovery (T1490), internal defacement (T1491.001), and system shutdown/reboot (T1529).

• Exfiltration over command and control channels (T1041), implied by the double extortion model.

The breach exposed highly sensitive health and identity data, increasing the risk of identity theft, insurance fraud, and medical identity theft. The Qilin group’s double extortion tactics, which involve both encrypting files and threatening to leak exfiltrated data, further amplify the potential impact on affected individuals and the organization.

Attribution to the Qilin group is supported by direct claims on their leak site, technical overlap with known Qilin TTPs, and confirmation by multiple independent sources. The group has a documented history of targeting healthcare organizations, motivated by the high value of medical data and the criticality of healthcare operations.

Affected Versions & Timeline

The breach impacted the IT environment of Covenant Health and its affiliated entities, including St. Joseph Hospital of Nashua, St. Joseph Healthcare (Bangor), and St. Mary’s Health System (Lewiston). The affected systems included those storing patient demographic, medical, and insurance information.

The verified timeline is as follows: On May 18, 2025, unauthorized access to the IT environment began. On May 26, 2025, Covenant Health detected unusual activity and initiated incident response. In late June 2025, the Qilin ransomware group claimed responsibility, stating that 852 GB of data had been stolen. On July 11, 2025, Covenant Health began mailing notification letters to initially identified affected individuals. On December 31, 2025, expanded notification letters were sent as analysis revealed 478,188 affected individuals. On January 2, 2026, a public update confirmed the scope and ongoing review.

The breach affected nearly 478,188 patients across multiple states and facilities, with exposed data including names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information.

Threat Activity

The Qilin ransomware group is a financially motivated threat actor active since at least 2022, with a surge in activity in 2024–2025. The group is known for double extortion attacks, encrypting files and exfiltrating data to pressure victims into paying ransoms. Qilin has targeted healthcare, manufacturing, legal, financial, and critical infrastructure sectors globally, with a particular focus on healthcare due to the high value of medical and identity data.

In the Covenant Health incident, Qilin gained access to the IT environment and maintained a presence for eight days before detection. During this time, the group conducted reconnaissance, moved laterally, escalated privileges, and exfiltrated 852 GB of data comprising approximately 1.35 million files. The group then deployed ransomware to encrypt files and inhibit system recovery, leaving ransom notes and threatening to leak stolen data.

Qilin’s attacks are characterized by rapid execution, advanced anti-forensics, and the use of a mature RaaS ecosystem. The group frequently avoids targeting CIS countries, indicating likely Russian-speaking operators. In 2024 alone, Qilin amassed over $50 million in ransom payments. The group’s targeting of healthcare organizations is motivated by the criticality of operations and the likelihood of ransom payment.

The breach at Covenant Health exposed highly sensitive data, increasing the risk of identity theft, insurance fraud, and medical identity theft for nearly 478,000 patients. Regulatory scrutiny is expected from HIPAA, HHS, and state attorneys general due to the scale and sensitivity of the data involved.

Mitigation & Workarounds

Mitigation efforts should be prioritized by severity:

Critical: Immediate review and enhancement of email security controls, including advanced phishing detection, sandboxing, and user training, is essential to prevent spearphishing-based initial access. All public-facing applications must be patched and monitored for exploitation attempts, with particular attention to remote access software and known vulnerabilities. Multifactor authentication (MFA) should be enforced for all remote access, with protections against MFA fatigue and SIM swapping.

High: Network segmentation should be implemented to limit lateral movement, and privileged access management (PAM) solutions should be deployed to restrict administrative privileges. Endpoint detection and response (EDR) solutions must be configured to detect and block credential dumping, lateral movement, and ransomware execution. Regular backups should be maintained offline and tested for integrity, with restoration procedures rehearsed.

Medium: Security information and event management (SIEM) systems should be tuned to detect anomalous activity, including unusual logins, privilege escalation, and data exfiltration. Incident response plans must be updated to include ransomware-specific scenarios, and tabletop exercises should be conducted regularly.

Low: Ongoing user awareness training should be provided to all staff, emphasizing the risks of phishing and social engineering. Regular vulnerability assessments and penetration testing should be conducted to identify and remediate security gaps.

Covenant Health has already taken steps to enhance its IT security posture, engaged third-party forensic specialists, and offered 12 months of complimentary identity protection services to affected individuals. Continued vigilance and adherence to best practices are essential to prevent future incidents.

References

Official Covenant Health Disclosure: https://covenanthealth.net/cybersecurity/

BleepingComputer News Report: https://www.bleepingcomputer.com/news/security/covenant-health-says-may-data-breach-impacted-nearly-478-000-patients/

MITRE ATT&CK Qilin: https://attack.mitre.org/software/S1242/

Qualys Qilin Analysis: https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks within their vendor and partner ecosystems. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support incident response and regulatory compliance. For questions regarding this report or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.