
Hospitals in the states of Maine and New Hampshire have experienced severe operational disruptions following a cyberattack targeting Covenant Health, a Catholic healthcare organization. As a result of the incident, all digital systems were taken offline, leaving staff and patients with limited access to essential services.
Covenant Health encompasses three hospitals, numerous long-term care facilities, rehabilitation centers, and senior care institutions across the U.S. states of Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont. The organization employs approximately 6,000 individuals.
In an official statement, representatives from Covenant Health confirmed that the attack affected two hospitals in Maine—St. Joseph Hospital and St. Mary’s Health System—as well as a hospital in New Hampshire, also named St. Joseph Hospital.
The first signs of the attack emerged on May 26, when anomalies were detected in the network’s connectivity. In an effort to contain the threat, a decision was made to suspend access to all information systems across all affiliated facilities.
Cybersecurity experts were brought in to investigate the nature of the incident and restore full access to the infrastructure. Despite the disruption, Covenant Health is urging patients not to cancel scheduled appointments and to contact their physicians’ offices directly with any concerns. The organization has emphasized that long-term care units were largely unaffected, as they operate on a separate clinical platform.
Updates regarding the outages were published on the official websites of all three affected hospitals, citing issues with phone service, internet connectivity, and the temporary unavailability of certain services. For instance, St. Mary’s Health System now accepts lab orders only via paper referrals or through MyChart, if orders are viewable on the platform. At St. Joseph Hospital in New Hampshire, laboratory services are currently limited to the main campus and only accessible with a physical referral.
Notably, no cybercriminal group has yet claimed responsibility for the attack. A year ago, one of the largest Catholic healthcare networks in the U.S. fell victim to a ransomware campaign carried out by the Black Basta group.
Several healthcare organizations in the United States have already reported cyber incidents in 2025. These include the recent attack on Kettering Health hospitals in Ohio. Earlier in the year, clinics in Maryland spent weeks attempting to restore access to digital services following a breach, while cyberattacks on a blood donation center in New York and dialysis giant DaVita have posed serious threats to patient safety.