Leela Stockley reports that a data security incident at a Northern Light Health vendor may have compromised some patients’ information.
The vendor, Compumedics, provides sleep disorder diagnostic services for health system patients seen at Northern Light Eastern Maine Medical Center, Northern Light AR Gould, and Northern Light Sebasticook Valley Hospital.
No report has appeared yet on HHS’s public breach tool for this incident under either Compumedics’ name or Northern Light Health’s name. However, on May 8, Compumedics submitted a report to the Massachusetts Attorney General, indicating that 7 Massachusetts residents were affected by the incident. Their report, however, did not indicate that medical records or information was involved, and from their notification, that particular notification may have been directed at employees because it tells recipients that the information involved included names “in combination with your Social Security number and/or bank account number used for direct deposit.” Compumedics’ report to the Maine Attorney General, filed the same day, was identical and failed to report the total number of people affected by the incident. It only reported that 4 Maine residents were affected.
An undated notice on Compumedics’ website provides additional details, however, including that the intrusion occurred between February 15 and March 23, and was first detected on March 22, 2025. Files were accessed or exfiltrated during the incident. They do not say how the intruder gained access or whether there has been any extortion demand. Health care provider clients whose patients were involved were notified on April 29, 2025.
Compumedics states that files contained names, dates of birth, demographic information, medical record numbers, treatment and diagnosis information, dates of treatment, provider names, and sleep study details and results. For a subset of the individuals whose information was involved, the files may have also contained their Social Security numbers and/or health insurance information. Officials at Northern Light Health told the Bangor Daily News that they do not believe their patients’ SSN, or health insurance, or financial information was involved.
Compumedics identified the following providers (clients) whose patients were involved in this incident:
- Bermuda Sleep & Signature Services / Hope Healthcare;
- Bronson Healthcare Group;
- Chest Medicine Associates PA;
- Billings Clinic;
- Davis Medical Center;
- Northern Light Ar Gould;
- Northern Light Eastern Maine Medical Center;
- Northern Light Sebasticook Valley Hospital;
- VCU Health System Authority; and
- Vitalcare Family Practice