On June 30, Mount Desert Island Hospital in Maine reported a breach to HHS that affected 24,180 patients. The hospital had previously disclosed the incident on June 5, when they posted a notice on their website that said that they had detected unusual activity on their network on May 4. An investigation determined that there had been unauthorized access between April 28 and May 7, 2023.
The types of information that may have been impacted reportedly included name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.
As of June 5, they said they were unaware of any misuse of information.
In response to the incident, they worked with third-party specialists to re-secure their network, implemented additional security precautions, reviewed policies and procedures related to data protection.
Their June 5 notice does not mention offering patients any complimentary protection or mitigation services.
There does not seem to be any update to their notice.
DataBreaches first became aware of this incident on June 5, but not because of the hospital’s notice. Snatch Team had added a listing to their leak site for the hospital on June 5.
On June 5, there was no proof of claims or files posted by Snatch Team. Nor has any proof of claims been posted since then on the threat actors’ site.
But did the hospital know about Snatch Team by June 5 when they posted their notice? There is no mention of any extortion demand in their June 5 notice.
DataBreaches sent an email inquiry to the hospital today that posed four questions:
- What extortion demand did MDI Hospital receive from “Snatch Team?”
- Did the hospital contact/negotiate with them at all?
- Did the hospital decide not to pay?
- If Snatch Team leaks the data, will the hospital then post a new notification warning patients that their data has been leaked on the internet?
No reply was received by publication.