AUGUSTA, Maine — MaineGeneral Health suffered a cyberattack on its computer network last month that compromised personal information belonging to patients, employees and prospective donors, the health system announced Tuesday.
While investigation into the breach continues, patients referred to MaineGeneral Medical Center for radiology services, such as MRIs and CT scans, over the last several years appear to be at the highest risk. Data identified as potentially compromised by the Federal Bureau of Investigations include dates of birth and emergency contact names, addresses and telephone numbers for patients referred by treating physicians to the hospital for those services since June 2009.
It also includes names, addresses and telephone numbers of certain employees, and similar information for certain prospective donors, the health system said.
The compromised data identified so far do not include Social Security numbers, patient names, patient medical or health insurance information, health records, driver’s license numbers, or credit and financial account information, according to MaineGeneral.
The breach potentially affects patients of all MaineGeneral Health subsidiaries, including MaineGeneral Medical Center in Augusta, MaineGeneral Rehabilitation and Long Term Care, MaineGeneral Retirement Community and MaineGeneral Community Care.
The FBI notified the health system on Nov. 13 “of the detection of certain MaineGeneral data on an external website that is not accessible by the general public,” according to a MaineGeneral news release. CEO Chuck Hays said the FBI declined to share that website with the health system.
MaineGeneral immediately launched an investigation and continues to cooperate with the FBI to determine the source and extent of the data breach, the news release states.
“We take any threat to the security of information entrusted to us very seriously,” Hays said in the release. “Once the attack was discovered, we immediately took countermeasures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information is at risk. … We apologize for any inconvenience this incident may cause our community.”
Officials are still trying to determine how the “sophisticated cyber attack” occurred and who’s responsible, Hays said.
The release did not specify how many people were potentially affected by the cyberattack. But federal law typically requires health care organizations to notify the media of data breaches that could affect more than 500 patients.
More than three weeks have passed since the FBI notified the health system of the breach. Hays said MaineGeneral had to first verify the data, identify who was affected and set up a call center and credit monitoring for affected individuals during that time.
“In the world of data breaches, this is probably lightning speed,” he said.
The health system said it will mail letters to affected patients. It has also informed the Maine attorney general’s office, the Maine Department of Health and Human Services, the Maine Department of Professional and Financial Regulation, the Maine Computer Crimes Task Force, the Augusta Police Department, and the U.S. DHHS Office of Civil Rights, Hays said.
“To our knowledge, we’ve never experienced a cyber attack before,” he said.
The assistance line for anyone seeking additional information regarding the data breach can be reached at 877-441-2645, 9 a.m.-9 p.m. Monday-Saturday.
Although the information identified thus far by the FBI did not include financial or account information, MaineGeneral said it will offer affected individuals one year of complimentary credit monitoring and identity restoration services.
“This incident has impacted both our patients, our employees, our donors and quite frankly our family and friends,” Hays said. “It’s really quite disheartening. We’re making it a top priority to address this issue.”
U.S. Sen. Angus King, a member of the Senate Intelligence Committee, said he has contacted the FBI about the data breach.
