The breach in May was originally thought to have only impacted just over 4,000 Maine residents.
MAINE, USA — Covenant Health, the Massachusetts-based parent company of St. Mary’s Health System in Lewiston and St. Joseph Healthcare in Bangor, is now reporting that a May 2025 data breach impacted 478,188 patients, which included more than 284,529 in Maine.
It is a major increase from earlier figures, when the company said 7,864 people were affected, with just 4,659 Mainers included in that count.
Covenant Health said the type of sensitive personal information potentially involved in the breach varied by patient but included names, Social Security numbers, and home addresses.
“Healthcare data is very valuable,” said Dr. Matt Graham, associate professor of Information Systems and Security Management at the University of Maine School of Business.
According to Covenant Health, an “unauthorized party” accessed patient records during a cyberattack on May 18, 2025. The company shared the updated impact last Wednesday.
Dr. Graham explained that hospitals typically prioritize securing their systems immediately after a breach, with detailed data analysis taking place afterward.
“In the very, very short term of identifying a cybersecurity breach, the immediate goal… is just to secure their systems,” Graham told NEWS CENTER Maine.
On December 10, 2025, through its ongoing extensive data analysis, Covenant Health said it and third-party forensic specialists determined that additional patient information may have been involved in May’s data security breach.
Covenant Health said it has issued notifications to impacted patients. In a statement, the company added:
“Individuals whose information may have been involved in the incident should review the statements they receive from their healthcare providers and health insurance plans. If they see any services that were not received, they should contact the provider or health plan immediately.”
Despite the severity of the breach, Dr. Graham says patients should feel confident that hospitals take cybersecurity seriously and that protecting patient data is a top priority.
Covenant Health also said it has enhanced the security of its IT environment to help prevent an event such as this one from happening again.
In a statement to NEWS CENTER Maine, Suzanne Spruce, senior vice president and chief communication officer of Northern Light Health, reassured patients cyber security is something they take very seriously.
“We continuously monitor for threats, enhance our systems when appropriate, and provide important cyber security training for employees,” said Spruce.