A series of class action lawsuits alleges that Covenant Health Inc., a Catholic health care organization operating in New England and Pennsylvania, failed to meet its legal and contractual obligations to protect patient information.
What happened
The primary action was filed on January 6, 2026, by plaintiff Michael Wickett in the U.S. District Court for the District of Massachusetts, under the case name Wickett v. Covenant Health, Inc., Case No. 1:26-cv-10044. In the weeks that followed, multiple related actions were filed in the same court, reflecting similar allegations and proposed class claims.
These include:
- Cole v. Covenant Health, Inc., Case No. 1:26-cv-10128, filed January 13, 2026
- Hall v. Covenant Health, Inc., Case No. 1:26-cv-10146, filed January 14, 2026
- Walder v. Covenant Health, Inc., Case No. 1:26-cv-10155, filed January 15, 2026
- Chuba v. Covenant Health, Inc. et al., Case No. 1:26-cv-10171, filed January 16, 2026
The background
The data security incident that ultimately led to the Covenant Health class action lawsuits began in May 2025, according to a formal notification letter sent to affected patients by Covenant Health, Inc. On May 26, 2025, Covenant Health detected unusual activity within its information technology environment and initiated an internal response to secure and restore its systems.
The organization retained third-party information technology and forensic specialists to investigate the scope and origin of the activity. The investigation determined that an unauthorized party had gained access to Covenant Health’s IT environment on or about May 18, 2025, and was able to access certain patient information during that period. Covenant Health stated that it notified federal law enforcement and relevant regulatory authorities and took steps to enhance system security following the incident.
What was said
According to Murphy Legal Firm, “As a result of the Covenant Health data breach, these individuals’ personal and highly confidential information may be in the hands of cybercriminals who can place the information for sale on the dark web or use the information to perpetrate identity fraud.”
Why it matters
According to a commentary by Reuters, in the Marriott data breach litigation, the U.S. Court of Appeals for the Fourth Circuit reversed a lower court’s certification of a class action after finding that the hotel’s customer agreements contained a valid class‑action waiver, holding that the waiver “precludes certification of all classes against Marriott.” That decision arose from consolidated litigation over a breach of the Starwood reservation system in which plaintiffs alleged that Marriott failed to protect personal information adequately.
The Marriott decision is relevant to the Covenant Health class action because both sets of cases involve plaintiffs seeking to vindicate harms from alleged failures to protect sensitive personal information, and both hinge on whether the litigation can proceed as a class action. Marriott shows a procedural issue in data breach litigation. According to the commentary, even where harm is alleged, a class action may be defeated on procedural grounds such as contractual waivers, and appellate scrutiny of class certification can be dispositive.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a healthcare class action?
A healthcare class action is a type of lawsuit in which one or more plaintiffs represent a larger group of individuals who allege similar harm caused by a healthcare provider or organization.
What types of claims are common in healthcare class actions?
Common claims include negligence, breach of contract, unjust enrichment, violation of privacy or data protection laws, and breach of fiduciary duty.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
