Recently, Central Maine Medical Center confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on CMMC’s network. While Central Maine Medical Center has not yet publicly released the data types that were compromised as a result of the incident, the company explains that the breach impacted 11,938 individuals. Subsequently, CMMC began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Central Maine Medical Center data breach, please see our recent piece on the topic here.
More Details About the Central Maine Medical Center Breach
News of the Central Maine Medical Center breach is very fresh, as the company only recently provided notice of the incident to the federal government. Thus, at this point, very little is known about the breach, its causes, and what type of data was compromised as a result of the breach.
However, based on CMMC’s filings, it appears as though the breach involved hackers gaining access to the company’s IT system. CMMC believes that the recent breach resulted in the personal information of approximately 11,938 individuals being compromised.
On June 3, 2022, Central Maine Medical Center provided official notice of the breach, as required under state and federal law. This notice outlines the type of data that was leaked as a result of the breach and provides consumers with steps they can take to reduce the risk of identity theft or fraud.
Central Maine Medical Center is a hospital in Lewiston, Maine and part of the Central Maine Healthcare (“CMH”) system. CMMC was founded in 1891 but only more recently became a part of the Central Main Healthcare system. Aside from CMMC, Central Maine Healthcare facilities also include Bridgton Hospital and Rumford Hospital, Central Maine Heart and Vascular Institute and the Central Maine Comprehensive Cancer Center. Central Maine Medical Center employs more than 1,100 people, and, in total, Central Maine Healthcare employs over 3,000 people and generates approximately $440 million in annual revenue.
Healthcare Data Breaches Place Protected Health Information at Risk
Central Maine Medical Center did not confirm the type of data leaked as a result of the recent incident. However, one could reasonably assume, given the fact that CMMC is a healthcare provider, that patients’ protected health information was among the compromised data.
Protected health information has been in the news quite a bit lately, as the number of healthcare data breaches continues to increase. Protected health information, also referred to as PHI, is any identifying information that relates to a patient’s health condition or how a patient pays for their healthcare. For example, the results of a CT scan or MRI could be protected health information, as could insurance information or a patient’s medical records. However, healthcare-related information is only considered protected if it contains one or more identifiers. An identifier is an additional piece of data that can be used to identify a patient. A few of the most common identifiers include:
Any geographical identifier more specific than a state;
Dates of treatment;
Full name, or a last name with an initial;
Full-face images or other identifying photographs;
Medical record numbers;
Phone numbers; and
Social Security numbers.
When protected health information is compromised, hackers or other criminals can use this data to identify the patient and then carry out a range of frauds. For example, by stealing a patient’s protected health information, a cybercriminal can commit identity theft against a patient. However, identity theft in this context isn’t the traditional financial identity theft but something much more nefarious—healthcare identity theft.
Healthcare identity theft is not only harder to resolve and comes at a far greater cost to patients than other data breaches, but it can also put their physical health in jeopardy. This is because a hacker may sell a patient’s data to a third party who cannot afford to pay for medical treatment. The third party then pretends to be the identity theft victim, obtaining medical care in the victim patient’s name.
When the “fake patient” sees a doctor or surgeon, they will give the provider their own information, such as what medications they take, what procedures they’ve had in the past, or what drugs they are allergic to. This can result in the victim patient’s medical record containing inaccurate information.
Healthcare data breaches pose very real risks, and those who fall victim to such a breach should be sure to take the necessary steps to protect themselves. Additionally, victims may be able to pursue a data breach lawsuit against the organization that was responsible for leaking their data.