DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Mount Desert Island Hospital updates its breach disclosure again but still doesn’t reveal what data were leaked

Posted on September 20, 2023 by Dissent

On July 1, DataBreaches reported that  Mount Desert Island Hospital (MDIH) in Maine notified HHS on June 30 that 24,180 patients had been affected by a breach between April 28 and May 7. The types of protected health information involved included name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.

The breach was first disclosed by MDIH on its website on June 5, but DataBreaches first became aware of the breach when Snatch Team posted it to their leak site on June 5.

On July 6, MDIH updated its website notification to indicate that they had started to mail out notification letters but were still determining who needed to be notified. They also provided an FAQ about the incident and indicated that some complimentary credit monitoring and identity theft restoration services were being offered.

On July 17, they notified the Maine Attorney General’s Office that 25,937 people had been affected, of whom 23,013 were Maine residents and 19,802 were patients.

On August 15, Snatch updated their listing and leaked over 260 GB of files from MDIH.

MDIH has not updated its website notice since the July 6 update, but on September 19, MDIH submitted an updated notification to the Maine Attorney General’s Office indicating that a total of 32,661 people were affected by the breach, of whom 26,046 were Maine residents. That number includes both patients and employees.

MDIH’s website notice makes no mention that data has been leaked on the clear net and dark web.

MDIH’s notifications to the Maine Attorney General’s Office do not mention that data has been leaked on the clear net and dark web, even though the second notification was more than one month after Snatch updated their leak site.

MDIH’s letters sent to patients and employees do not reveal that data has been leaked on the clear net and dark web.

Did MDIH download the data from Snatch to see what is in it?  DataBreaches has encountered difficulties trying to download it, so can’t be sure there is a lot of patient data in it, but a spokesperson for Snatch confirmed that there are patient data in the publicly available downloads.  So why hasn’t MDIH told patients this?

In related news, CISA has issued a joint advisory about Snatch Team today. DataBreaches asked Snatch for their comments on it, and they replied:

First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income.

Related posts:

  • At some point, SNAtch Team stopped being the Snatch ransomware gang. Were journalists the last to know?
  • Four ransomware attacks on non-U.S. medical entities: Did anyone get notified?
  • Mount Desert Island Hospital notifies 24,180 patients of April network attack
Category: Commentaries and AnalysesHealth DataU.S.

Post navigation

← #StopRansomware: Snatch Ransomware
Covington Client Intervenes in SEC Battle, Objecting to Disclosure of Identity →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report