Cyber Incident Victim: Mount Desert Island Hospital

On or about April 28, 2023, unauthorized actors gained access to the computer network of Mount Desert Island Hospital, Inc. (MDIH), a healthcare provider located at 10 Wayman Lane in Bar Harbor, Maine. The external system breach, characterized as hacking, persisted for a limited time, with the period of unauthorized access extending until May 7, 2023. The hospital's internal security monitoring did not detect the intrusion at its inception. The incident remained undiscovered for several weeks. It was not until May 4, 2023, that MDIH personnel observed unusual activity on the network, prompting the immediate initiation of an internal investigation. Upon discovery, the organization also notified law enforcement authorities of the potential breach.

The forensic investigation, conducted with the assistance of external specialists, confirmed that the unauthorized access was confined to certain areas of the hospital's network. The primary objective of the investigation was to determine the scope of the incident and the specific types of protected information that were potentially accessed or acquired by the threat actors. The review process was complex and time-consuming, as it involved a detailed analysis of the affected systems to identify the data subjects and the nature of their information. This process was still ongoing at the time of the initial public notification on June 5, 2023.

The data exposed in the incident was extensive and highly sensitive, given the healthcare context. The information potentially impacted included a combination of personal identifiers, financial data, and protected health information. The specific data elements involved were name, address, date of birth, driver’s license or state identification number, Social Security number, and financial account information. Medical and clinical information was also potentially compromised, including medical record number, Medicare or Medicaid identification number, details regarding mental or physical treatment or condition, diagnosis codes and information, date of service, admission and discharge dates, and prescription information. Furthermore, billing and claims information, the name of a personal representative or guardian, and comprehensive health insurance information were part of the data set accessible during the breach.

The total number of individuals affected by this data security incident was 25,937. A significant majority of those affected were residents of the state of Maine, totaling 23,013 individuals. Because the number of impacted Maine residents exceeded 1,000, Mount Desert Island Hospital fulfilled its statutory obligation to notify the national consumer reporting agencies about the breach. The hospital officially discovered the full extent of the breach on June 21, 2023, which marked the point when the investigation had progressed sufficiently to confirm the compromise of personal information.

In direct response to the incident, Mount Desert Island Hospital took several actions to contain the threat and prevent a recurrence. The organization worked with third-party cybersecurity specialists to re-secure its network environment. This involved expelling the threat actors, closing the vulnerability they exploited, and implementing additional security precautions to harden the network's defenses against future attacks. Furthermore, the hospital initiated a comprehensive review of its existing policies and procedures related to data protection and network security to identify areas for improvement.

MDIH began mailing written notification letters to all potentially impacted individuals on June 30, 2023. These notices provided a description of the incident, the types of information that were potentially involved, and the steps the hospital had taken in response. The notification also offered remedial measures to the affected individuals. Although the hospital stated it was unaware of any actual misuse of the information resulting from the event, it offered complimentary credit monitoring and identity protection services to those affected out of an abundance of caution. These services were provided by IDX and included credit monitoring and identity protection for a duration of twelve months.

To support the notified individuals, MDIH established a dedicated assistance line at 1-888-220-4877. This line was staffed Monday through Friday from 9 a.m. to 9 p.m. Eastern Time, excluding major U.S. holidays, to answer questions about the incident and to assist with enrollment in the protection services. The high volume of calls following the delivery of the mailed notices prompted the hospital to publish a list of frequently asked questions on its website to address common concerns and provide information efficiently. The public notice also included standard guidance from regulatory bodies, advising individuals to remain vigilant by reviewing their account statements and explanations of benefits for any suspicious activity. The notice provided contact information for the three major credit bureaus—TransUnion, Experian, and Equifax—so individuals could place fraud alerts or credit freezes on their files. It also directed individuals to resources at the Federal Trade Commission for further education on identity theft protection.