Clover Health Confirms PHI Breach, Member Notifications Still Pending

Clover Health Investments, Corp. (CLOV) At edition (Jul 17, 2026) $2.3B · Live $2.3B

Under investigation

Company Background

Clover Health (Nasdaq: CLOV) operates Medicare Advantage plans, primarily a wide-network PPO, for approximately 155,000 members — predominantly elderly Medicare beneficiaries. The company pairs its insurance business with Clover Assistant, a proprietary AI platform designed to surface clinical decision support at the point of care. With a market capitalization of approximately $2.3 billion, it is a mid-sized player in a sector dominated by UnitedHealth, Humana, and CVS.

Financially, Clover has been on a steep growth curve. First-quarter 2026 revenue reached $749 million, up 62% year-over-year, driven by 51% membership growth. The company posted its first-ever quarterly GAAP net income of $27 million in Q1 2026 and has guided for its first full-year GAAP net income — between $0 and $20 million — in 2026. That trajectory represents a meaningful improvement from a full-year 2025 net loss of $86 million.

The company has experienced leadership change in recent months. CFO Peter Kuipers stepped down effective March 30, 2026; Clay Thornton, formerly CFO of Clover's insurance plan subsidiary, was named Interim CFO immediately thereafter. The circumstances of Kuipers's departure were not disclosed.

What Was Disclosed

A threat actor gained access to three non-managerial health plan employee accounts through social engineering on July 4, 2026. According to the filing, those accounts were assigned to employees with member visit-scheduling and broker-facing sales functions — roles with access to member personally identifiable information and protected health information, but with no access to corporate financial or claims systems.

Clover activated its incident response procedures immediately upon detecting anomalous login activity, engaged third-party cybersecurity experts, and notified law enforcement. Management states it believes the response "successfully contained and terminated the unauthorized access." However, the investigation remains ongoing into "the precise nature, scope, and extent of data that was subject to unauthorized access and acquisition," meaning the number of members whose information was exposed has not been established.

Required notifications to both regulators and impacted members have not yet been made. Management states it "continues to evaluate applicable regulatory and legal notification requirements and will make all required notifications based on its findings." The company does not believe the incident has had, or is reasonably likely to have, a material impact on its business, financial condition, or results of operations — a forward-looking statement that the filing's own boilerplate cautions may prove inaccurate depending on the scope of the breach, regulatory outcomes, and litigation.

Why It Matters

For a Medicare Advantage plan, PHI is among the most sensitive categories of personal data — it encompasses diagnoses, treatment histories, and health status for a membership base that is by definition elderly and enrolled in a federal health program. HIPAA's Breach Notification Rule generally requires covered entities to notify affected individuals within 60 days of discovering a breach, and to report to HHS; larger breaches (500 or more individuals in a state) also trigger media notice requirements. Because Clover has not yet determined the scope of compromised data, it is not yet possible to assess whether HIPAA notification timelines will be met.

The accounts involved — member visit-scheduling and sales — sit at an interface between the company and its members, which means the data at risk likely includes names, contact information, plan enrollment details, and potentially appointment or clinical scheduling data. The filing confirms PHI was accessible but does not specify what was actually viewed or exfiltrated. That distinction matters materially for regulatory liability and for any assessment of patient harm.

The counterweight here is real: three non-managerial accounts with scheduling and sales functions are a relatively contained attack surface, and the company's assertion that it moved quickly and excluded financial and claims systems from compromise is meaningful context. Clover is also entering the breach from a position of financial momentum, with its first GAAP-profitable quarter behind it, which limits the immediate financial fragility angle. The risk here is predominantly regulatory and reputational, not existential — but for a company whose 155,000 members are Medicare-eligible seniors, the latter should not be dismissed.