On July 1, DataBreaches reported that Mount Desert Island Hospital (MDIH) in Maine notified HHS on June 30 that 24,180 patients had been affected by a breach between April 28 and May 7. The types of protected health information involved included name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.
The breach was first disclosed by MDIH on its website on June 5, but DataBreaches first became aware of the breach when Snatch Team posted it to their leak site on June 5.
On July 6, MDIH updated its website notification to indicate that they had started to mail out notification letters but were still determining who needed to be notified. They also provided an FAQ about the incident and indicated that some complimentary credit monitoring and identity theft restoration services were being offered.
On July 17, they notified the Maine Attorney General’s Office that 25,937 people had been affected, of whom 23,013 were Maine residents and 19,802 were patients.
On August 15, Snatch updated their listing and leaked over 260 GB of files from MDIH.
MDIH has not updated its website notice since the July 6 update, but on September 19, MDIH submitted an updated notification to the Maine Attorney General’s Office indicating that a total of 32,661 people were affected by the breach, of whom 26,046 were Maine residents. That number includes both patients and employees.
MDIH’s website notice makes no mention that data has been leaked on the clear net and dark web.
MDIH’s notifications to the Maine Attorney General’s Office do not mention that data has been leaked on the clear net and dark web, even though the second notification was more than one month after Snatch updated their leak site.
MDIH’s letters sent to patients and employees do not reveal that data has been leaked on the clear net and dark web.
Did MDIH download the data from Snatch to see what is in it? DataBreaches has encountered difficulties trying to download it, so can’t be sure there is a lot of patient data in it, but a spokesperson for Snatch confirmed that there are patient data in the publicly available downloads. So why hasn’t MDIH told patients this?
In related news, CISA has issued a joint advisory about Snatch Team today. DataBreaches asked Snatch for their comments on it, and they replied:
First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income.