Northern Light Health's main office in Brewer Credit: Courtesy of Northern Light Health

Two brothers from Holden have sued Northern Light Health over a data breach last May that left them vulnerable to identity theft and affected more than 650,000 people.

The complaint, filed Tuesday in Penobscot County Superior Court, claims that Northern Light violated Maine law by sharing personal health care information with Blackbaud Inc. for fundraising purposes without patients’ prior permission. Northern Light also allegedly failed to encrypt the information it shared with Blackbaud.

Blackbaud is a South Carolina-based cloud data storage software that primarily serves nonprofits and health care organizations. It was subject to a ransomware attack from hackers last year who were able to access personal information for millions of people, including Northern Light patients, donors and potential donors.

Northern Light owns 10 hospitals and is associated with hundreds of health care providers throughout the state.

Jacob and Jeremy Gignac, both in their 20s, are seeking to recoup the money they have spent to protect themselves from identity theft and are asking the Brewer-based health care organization to pay for monitoring of their personal information going forward to guard against future identity theft.

The lawsuit is seeking class-action status.

Suzanne Spruce, a Northern Light spokesperson, on Thursday declined to comment on the allegations. She said the organization had just received a copy of the lawsuit and has not had time to review it.

Northern Light released information about the breach in September, saying that patient data may have been stolen by hackers in a ransomware attack on Blackbaud. The health care organization said the potentially stolen data included “limited protected health information,” including patient names, addresses, where and when patients were treated, and other personal information.

Hackers did not access patient credit card or banking information.

Northern Light provided the information to Blackbaud as part of its “grateful patient fundraising efforts,” the complaint said. Blackbaud allegedly would cross-reference the information with its wealth research service to identify potential donors who had been patients of Northern Light.

That violated the Maine Healthcare Confidentiality Act because the law does not provide for the disclosure of personal health care information for fundraising without prior authorization, the complaint alleged. Maine’s confidentiality law is more stringent than the federal patient confidentiality law known as HIPAA.

The brothers first sued Northern Light and Blackbaud in state court in Bangor in November 2020. In January, the defendants moved the case to federal court. The next month, the Gignacs’ lawyers withdrew the brothers’ complaint against Northern Light, and their case against Blackbaud was consolidated with other cases filed around the country in federal court in South Carolina.