Mount Desert Island Hospital, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Mount Desert Island Hospital, Inc. (MDIH) in Bar Harbor, Maine, experienced a data security incident involving unauthorized access to its network between April 28, 2023, and May 7, 2023. The breach was first detected due to unusual activity on their network on May 4, 2023, and law enforcement was notified[1]. The types of information potentially impacted by this incident include names, addresses, dates of birth, driver’s license/state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification numbers, mental or physical treatment/condition information, diagnosis codes/information, dates of service, admission/discharge dates, prescription information, billing/claims information, personal representative or guardian names, and health insurance information[1][4].

The total number of persons affected by the breach was 32,661, including 26,046 Maine residents[2]. MDIH began mailing notices to potentially impacted individuals on June 30, 2023, and offered complimentary credit monitoring and identity protection services for 24 months through IDX[2]. The Snatch ransomware group was identified as being behind the cyberattack, and they claimed to have stolen 266 GB of data, which was listed on their leak site[4].

In response to the incident, MDIH worked with third-party specialists to re-secure their network, implement additional security precautions, and review their policies and procedures related to data protection[1]. Individuals affected by the breach were encouraged to remain vigilant against identity theft by reviewing account statements and explanation of benefits forms for suspicious activity and to detect errors. They were also advised on how to place a fraud alert or credit freeze by contacting the credit reporting agencies[1].

For more information about the incident or to enroll in the complimentary credit monitoring services, individuals were directed to contact MDIH’s dedicated assistance line[1].

Citations:

  1. https://www.mdihospital.org/notice-of-data-security-incident/
  2. https://apps.web.maine.gov/online/aeviewer/ME/40/4edaf9ec-0c98-4ae2-8382-6b44675f62ab.shtml
  3. https://www.mdihospital.org
  4. https://www.hipaajournal.com/snatch-ransomware-group-behind-mount-desert-island-hospital-cyberattack/
  5. https://apps.web.maine.gov/online/aeviewer/ME/40/list.shtml
  6. https://apps.web.maine.gov/online/aeviewer/ME/40/de93584a-6040-4e49-8ec8-b276479c95a2.shtml
  7. https://dojmt.gov/consumer/databreach/
  8. https://ago.vermont.gov/sites/ago/files/2023-07/2023-06-30%20Mount%20Desert%20Island%20Hospital%20Data%20Breach%20Notice%20to%20Consumers.pdf
  9. https://law.justia.com/cases/federal/appellate-courts/F3/156/31/481970/
  10. https://www.themainewire.com/2023/07/24180-patient-records-potentially-exposed-in-mount-desert-island-hospital-data-breach/
  11. https://www.techtarget.com/searchsecurity/feature/Publicly-disclosed-US-ransomware-attacks-in-2023
  12. https://theqsjournal.substack.com/p/breaking-news-24180-patients-of-mdi
  13. https://themainemonitor.org/in-a-first-for-maine-ransomware-hackers-hit-two-public-wastewater-plants/
  14. https://www.linkedin.com/posts/jaredrimer_mount-desert-island-hospital-updates-its-activity-7111114085127114752-az6k
  15. https://www.hipaaguidelines101.com/47-increase-in-ransomware-attacks-and-data-breaches-reported-by-mount-desert-island-hospital-and-pharm-pacc-corporation/
Breach Submission Date Jun 30, 2023
Converted Entity Name Mount Desert Island Hospital, Inc.
Converted Entity Type Healthcare Provider
State ME
Individuals Affected 29,952
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes