Covenant Surgical Partners, a Nashville, Tennessee-based operator of single and limited-specialty ambulatory surgery centers (ASCs), has reported a data breach impacting 88,609 individuals, according to a filing with the U.S. Department of Health and Human Services’ Office for Civil Rights.
The breach involved the potential exposure of protected health information (PHI) and other sensitive personal data. While full details have not been released, information that may have been compromised includes names, contact details, dates of birth, medical records, insurance data and payment information.
Covenant, which operates under the name Covenant Physician Partners, provides business and clinical support services to physician practices and surgery centers across the country. The company employs more than 1,000 individuals and partners with providers in several states.
At least two law firms – Levi & Korsinsky LLP and Strauss Borrelli PLLC – have launched investigations into the incident, signaling potential legal action.
Levi & Korsinsky’s announcement suggested that affected individuals could be entitled to compensation, especially if the breach resulted from inadequate security measures.
“Data breaches are serious matters that can cause long-term damage,” the firm wrote. “Hackers may use stolen information to commit identity theft, financial fraud, or other crimes. Companies that fail to secure your personal data may be held liable for the resulting harm.”
ASCs faced a surge in cyberattacks in 2024, with recent incidents reported at facilities in Florida, Idaho and New York.
One of the most notable breaches occurred at the Surgery Center of Mid Florida, where hackers exploited a vulnerability in an IT vendor’s system to gain access to sensitive patient data, including Social Security numbers, health records and financial information.
Covenant has not publicly confirmed whether those impacted had been formally notified, but breach reporting rules require that affected individuals be contacted without unreasonable delay.
As cybercriminals continue to target health care providers of all sizes, ASCs must proactively bolster their defenses – even if they lack the robust IT infrastructure of larger hospital systems.
One of the most critical steps ASCs can take is implementing multi-factor authentication (MFA) across all systems. While password protection was once sufficient, today’s threat environment demands an extra layer of verification. By enabling MFA not just for in-house staff but also for third-party vendors and remote users, ASCs can reduce the risk of unauthorized access stemming from stolen or compromised login credentials.
Another essential practice is routine staff training combined with simulated phishing tests. Human error remains one of the most common causes of data breaches in health care, with phishing emails continuing to fool even experienced employees.
ASCs should also prioritize timely updates and patches for all systems. Outdated software often contains known vulnerabilities that hackers can easily exploit.
“Health care organizations can address common vulnerabilities and minimize cyber-attack risks by completing an annual risk assessment and augmenting those assessments through regular scans and penetration tests,” Jeremy Carriger, chief information security officer at Arcadia, previously told ASC News. “Often, these exercises will help you identify technical weaknesses in your program that you should record and track to ensure you’re following up to patch them. Additionally, tabletop exercises – both at the leadership and tactical responder levels – can pressure test your incident response plan and promote awareness and adherence to your plan.”
