Central Maine Healthcare data breach impacted over 145,000 patients

A cyberattack on Central Maine Healthcare exposed the personal, medical, and insurance data of about 145,000 patients.

Central Maine Healthcare notified patients affected by a data security incident. The organization detected unusual activity on June 1, 2025, secured its systems, and launched an investigation with the help of third-party cybersecurity experts while notifying law enforcement.

Central Maine Healthcare is a nonprofit healthcare system serving central and western Maine. It operates multiple hospitals, clinics, and physician practices, offering emergency, inpatient, outpatient, primary, and specialty care. The organization plays a key role in regional healthcare delivery and community health services.

The investigation concluded on November 6, 2025, confirming a data breach and determining which patient information may have been involved.

The data breach notification shared with the Maine Attorney General’s Office reports that the number of impacted individuals is 145,381.

The investigation confirmed that an unauthorized party accessed Central Maine Healthcare’s IT systems between March 19 and June 1, 2025, potentially accessing patient data such as names, birth dates, treatment details, provider names, insurance information, and in some cases Social Security numbers.

“The investigation determined that an unauthorized party accessed Central Maine Healthcare’s IT environment between March 19, 2025 and June 1, 2025. While in Central Maine Healthcare’s IT environment, the unauthorized party may have accessed and/or acquired files that contain Central Maine Healthcare patient information, including names, dates of birth, treatment information, dates of service, provider names, and health insurance information. For some patients, these files may have also contained their Social Security numbers.” reads the notice of data security incident published by the company.

“The healthcare organization notified affected patients between July 31 and December 29, 2025, and set up a toll-free response line to answer questions and provide support, with additional details available on its website.

The company is offering affected individuals free credit protection services for 12 months. This includes single-bureau credit monitoring, credit reports, and credit scores, with same-day alerts when changes occur to a credit file. The service also provides proactive fraud assistance to help answer questions or support victims of identity fraud. These services are delivered by Cyberscout, a TransUnion company that specializes in fraud prevention and recovery.

Central Maine Healthcare advised affected patients to closely review medical and insurance statements for any unfamiliar services and to promptly contact their healthcare provider or insurer if they notice anything suspicious.

“Central Maine Healthcare takes this incident very seriously and sincerely regrets any concern this may cause. To help prevent something like this from happening again, Central Maine Healthcare has implemented enhanced monitoring and alerting software to further protect and monitor its systems.” concludes the notice.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)