Advanced Family Surgery Center (AFSC) in Oak Ridge, Tennessee is part of Covenant HeaLth.
According to threat actors known as Genesis, on November 26, 2025, they contacted AFSC to inform them they had been compromised. Days later, a spokesperson informs DataBreaches, someone showed up to negotiate, but the negotiations reportedly never went anywhere.
On January 11, Genesis added AFSC to its dark web leak site, with a claim that they had exfiltrated 100 GB of data including:
– Healthcare Data.
– Personal Data.
– Financial Data.
– Users folders.
– Operational Data.
– Data from company file-server.
They also posted a file tree listing the files in the exfiltrated data. Examination of some of the files, provided to DataBreaches, confirmed that they include protected health information. As examples, DataBreaches saw surgical records on named patients that included patients’ name, date of birth, full social security number, date of service and physician, health insurance information, and narratives describing the surgical procedure.
On January 19, DataBreaches emailed AFSC to ask for their response to Genesis’s claims and the situation.
Surprisingly, Covenant Health responded hours later, asking DataBreaches to confirm we really intended to contact them as there were other health systems with similar names.
Did Covernant Health’s communications team not know that they had been the victim of a breach?
DataBreaches promplty responded with the relevant links demonstrating that yes, it was the Tennessee Covenant Health and AFSC that this site intended to reach.
There has been no substantive reply since then, despite a second request sent.
The countdown clock on Genesis’s leak site ran down yesterday. No AFSC data has been leaked as of publication. A leak site notice says it is being uploaded.
But it is almost two months since AFSC would have discovered the breach. Under HIPAA, regulated entities are required to notify patients and HHS no later than 60 calendar days from discovery.
If Covenant Health/Advanced Family Surgery Center has issued any media notice or notification, DataBreaches has been unable to find any as of publication, and it does not appear on HHS’s public breach tool.
This post will be updated if Covenant responds or more information becomes available.