AUGUSTA — MaineGeneral Health is warning employees and patients that personal information may have been stolen during a cyber attack last month.
The investigation is ongoing but Chuck Hays, CEO of MaineGeneral Health, said that the compromised information includes dates of birth and emergency contact names, addresses and telephone numbers for patients referred for radiology services since June 2009.
The breach also includes names, addresses and telephone numbers of prospective financial donors and certain employees who were listed on an old database, Hays said. Newer employees were likely unaffected. About 4,200 people work for MaineGeneral Health.
“It’s not all of our current employees,” he said.
Hays said the data identified thus far does not include social security numbers, patient names, patient medical or health insurance information, health records, driver’s license numbers or information on credit or financial accounts.
Hays said the compromised information may include patients of all MaineGeneral Health subsidiaries, including MaineGeneral Medical Center in Augusta; MaineGeneral Rehabilitation and Long Term Care, with nursing homes in Augusta; MaineGeneral Retirement Community and MaineGeneral Community Care, which has facilities in Kennebec and Somerset counties, who were referred to radiology over the past six years.
Hospital spokeswoman Nicole McSweeney said she didn’t know how many patients the hospital sees each year at facilities throughout its network, but she said MaineGeneral Health’s service area includes about 180,000 people. Hays declined to estimate how many people could be impacted by the data breach, but acknowledged that more people could be added to the list.
“We can’t really say because the investigation is ongoing,” Hays said.
MaineGeneral is working with the FBI and a computer forensics firm to continue the investigation into how the data was breached and how much information was stolen. Hays said the hospital “was in the middle” of the investigation and that it is impossible to know when it will be completed.
“They’ve been working around the clock,” he said.
The FBI notified the hospital of the data breach on Nov. 13 after the bureau detected data on an external website that is not accessible by the general public. Hays said MaineGeneral launched an investigation to confirm its systems were secure and to find the source of the leaked information.
“We take any threat to the security of information entrusted to us very seriously,” Hays said. “Once the attack was discovered we immediately took counter measures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information is at risk.”
Hays said MaineGeneral notified the public as soon as it could examine the stolen data as well as set up a call center to assist concerned patients and employees and credit monitoring and restoration services.
“We came out early just so people could understand the impact and protect themselves against any fraud or identity theft,” Hays said.
The investigation thus far has not uncovered evidence of stolen financial or account information, but MaineGeneral is offering those impacted by the breach one year of free credit monitoring and restoration services through AllClear ID.
Hays said the hospital regularly upgrades its computer systems to protect patient and employee information. That process was in place before the hospital moved to its new facility in 2013.
“Our security systems are constantly being upgraded every time there’s a new threat,” Hays said. “It’s not relative to a new building or moving. It’s really constant upgrading.”
Hays encouraged patients and employees to be on the lookout for identity theft. The hospital offered the following steps:
• Review account statements, medical bills and health insurance statements.
• Contact the IRS at IRS.Gov to request a PIN to file your taxes so that no one can use your information to submit a fraudulent tax form.
• Order a free credit report at annualcreditreport.com or by calling 877-322-8228.
• Place a fraud alert on your credit file to tell creditors to take additional steps to verify your identity before granting credit in your name. The safeguard could delay your ability to obtain credit.
• Place a security freeze on your credit file to prohibit a credit reporting agency from releasing any information from your credit report without your written authorizing. This, too, could delay a request for new credit.
• Report suspicious activity to local law enforcement.
Hays said he was disheartened by the fact that the breach has impacted patients, employees and donors.
“This is really our friends and family,” he said. “We’re sorry for the inconvenience this has caused our community. We’re taking this as a top priority to resolve this incident.”
MaineGeneral will mail letters directly to patients impacted by the breach. Hays encouraged anyone who fears their information may have been stolen to call the dedicated assistance line. The call center is available from 9 a.m. to 9 p.m., Monday through Saturday, at 877-441-2645.
Send questions/comments to the editors.