DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Mount Desert Island Hospital updates its breach disclosure again but still doesn’t reveal what data were leaked

Posted on September 20, 2023 by Dissent

On July 1, DataBreaches reported that  Mount Desert Island Hospital (MDIH) in Maine notified HHS on June 30 that 24,180 patients had been affected by a breach between April 28 and May 7. The types of protected health information involved included name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.

The breach was first disclosed by MDIH on its website on June 5, but DataBreaches first became aware of the breach when Snatch Team posted it to their leak site on June 5.

On July 6, MDIH updated its website notification to indicate that they had started to mail out notification letters but were still determining who needed to be notified. They also provided an FAQ about the incident and indicated that some complimentary credit monitoring and identity theft restoration services were being offered.

On July 17, they notified the Maine Attorney General’s Office that 25,937 people had been affected, of whom 23,013 were Maine residents and 19,802 were patients.

On August 15, Snatch updated their listing and leaked over 260 GB of files from MDIH.

MDIH has not updated its website notice since the July 6 update, but on September 19, MDIH submitted an updated notification to the Maine Attorney General’s Office indicating that a total of 32,661 people were affected by the breach, of whom 26,046 were Maine residents. That number includes both patients and employees.

MDIH’s website notice makes no mention that data has been leaked on the clear net and dark web.

MDIH’s notifications to the Maine Attorney General’s Office do not mention that data has been leaked on the clear net and dark web, even though the second notification was more than one month after Snatch updated their leak site.

MDIH’s letters sent to patients and employees do not reveal that data has been leaked on the clear net and dark web.

Did MDIH download the data from Snatch to see what is in it?  DataBreaches has encountered difficulties trying to download it, so can’t be sure there is a lot of patient data in it, but a spokesperson for Snatch confirmed that there are patient data in the publicly available downloads.  So why hasn’t MDIH told patients this?

In related news, CISA has issued a joint advisory about Snatch Team today. DataBreaches asked Snatch for their comments on it, and they replied:

First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income.

Related posts:

  • At some point, SNAtch Team stopped being the Snatch ransomware gang. Were journalists the last to know?
Category: Commentaries and AnalysesHealth DataU.S.

Post navigation

← #StopRansomware: Snatch Ransomware
Covington Client Intervenes in SEC Battle, Objecting to Disclosure of Identity →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.