AUGUSTA — MaineGeneral Medical Center said Friday that personal information belonging to an additional 2,000 people may have been compromised through a computer security breach and that the information included Social Security numbers.
Chuck Hays, CEO of MaineGeneral Health, the hospital’s parent company, said the higher number came to light after the hospital’s own investigation into a Sept. 11-12, 2015, cyberattack on its network. The hospital first learned of that attack in November from the FBI.
A month ago, the hospital announced that compromised data included birth dates and emergency contact information for certain patients referred for radiology services since June 2009. At that time, they estimated 118,000 people potentially were affected.
“What we’re reporting out today is anything we saw that could be potentially accessed,” Hays said on Friday. He also said the hospital had no proof that any information was obtained about the 2,000 people who were identified more recently.
“The investigation hasn’t found any cases of fraud or ID theft as a result of this breach,” he said.
Hays said letters will be sent to people telling them specifically what information might have been exposed.
“Out of the 120,000 people, different people had different data elements potentially accessed,” he said.
He said Friday’s announcement comes as the hospital’s investigation ends, even as the FBI continues to seek the perpetrators of the cyberattack.
“We’re confident we’ve identified all the protected health info potentially at risk,” he said.
The news release outlines the new material that was exposed:
• The names, Social Security numbers, addresses, phone numbers, attending physician names, account numbers and ages of certain patients in a patient advocacy file.
• The names, Social Security numbers, dates of birth, addresses, medical record numbers, treatment information and health history information of certain patients in a patient diagnostic registry file.
• The names and addresses of certain patients on a mailing list file related to a physician departure in October 2010.
• The names, addresses, dates of birth, Social Security numbers, and medical identification numbers of certain patients in a monitoring system file.
• The name, address, procedure date, procedure description, diagnosis and treatment choice of a patient in a letter to the patient.
The hospital is offering free credit monitoring and identity restoration services to those whose information might have been exposed.
Hays said the hospital’s computer data banks probably have information on millions of people that the hospital collected over the years.
A website maintained by the Office of Civil Rights in the U.S. Department of Health and Human Services lists breaches of unsecured protected health information that affect 500 or more people.
It shows that in December, MaineGeneral Health and subsidiaries reported the hacking of its network server and that the Belgrade Regional Health Center reported unauthorized access to paper and films when a letter to patients inadvertently contained the name of another of its patients.
In March 2013, Maine Medical Center in Portland reported an email breach.
In the MaineGeneral incident, Hays said the compromised information may include patients who were referred to radiology over the past six years at all MaineGeneral Health subsidiaries, including MaineGeneral Medical Center in Augusta; MaineGeneral Rehabilitation and Long Term Care, with nursing homes in Augusta; and MaineGeneral Retirement Community and MaineGeneral Community Care, which has facilities in Kennebec and Somerset counties.
Hays said in December the hospital regularly upgrades its computer systems to protect patient and employee information. That process was in place before the hospital moved to its new facility in 2013.
“Our security systems are constantly being upgraded every time there’s a new threat,” Hays said. “It’s not relative to a new building or moving. It’s really constant upgrading.”
Betty Adams — 621-5631
Twitter: @betadams
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.