Cyber Incident Victim: Central Maine Healthcare

On June 1, 2025, Central Maine Healthcare detected unusual activity on its computer network and became aware of a potential data breach. A subsequent forensic investigation determined that cybercriminals had infiltrated the network and gained access to files from March 19, 2025 through June 1, 2025. The intrusion spanned approximately two and a half months. The organization enlisted third‑party cybersecurity experts to assist with the investigation.

The investigation concluded that the attackers potentially accessed and acquired files containing the personal information of approximately 145,000 individuals. Exposed data included names, dates of birth, Social Security numbers, medical information, health insurance details, treatment details, provider names, dates of service, and mailing addresses. This information represented a combination of personal identifiers and protected health information. The breach affected patients across the organization's facilities in Maine, including Central Maine Medical Center in Lewiston and the Bridgton and Rumford hospitals.

Central Maine Healthcare began notifying potentially affected individuals on July 31, 2025, and continued outreach with a final round of notifications sent on December 29, 2025. To support those impacted, the organization established a dedicated toll‑free incident response line for inquiries and provided one year of credit and identity theft monitoring services that include dark web monitoring. The investigation into the attack was completed on November 6, 2025, with the assistance of the third‑party experts. Following the breach, Murphy Law Firm commenced an investigation into possible legal claims on behalf of affected individuals, exploring a class action lawsuit. In 2025, Central Maine Healthcare was acquired by Prime Healthcare Foundation.