Richmond University Medical Center faces data breach

The Medical Center recently notified the Attorney General of Maine and patients regarding a data breach. 

What happened

On December 19th, 2024, Richmond University Medical Center (RUMC) filed a notice of a data breach with the Attorney General of Maine. 

The medical center has also posted a notice on its own website. Currently, they have not confirmed the number of impacted individuals, leaving that space intentionally blank on their breach notice. The center did share that 32 Maine residents may have had their data accessed. 

According to the breach notice, the center discovered unauthorized access to their network on May 6th, 2023, over a year ago. 

Currently, the type of data accessed has been redacted, but includes names in combination with other personal information, likely including Social Security numbers. 

Going deeper

According to the notice, the unauthorized access was “a result of a sophisticated cyberattack.” Following the breach, the medical center launched an investigation, utilizing an outside cybersecurity team to “analyze the extent of any compromise of the information on [the] network.” The team stated the investigation is ongoing, however, they said currently they have determined “our electronic health records system was not affected by the incident…[but] other files may have been accessed or removed from our network.”

According to their notice with the Maine Attorney General, once the company determined what files were accessed, they conducted a manual review of each file to determine if it contained sensitive personal information or personal health information. 

The notice said RUMC would notify impacted individuals. They said they currently “have no evidence of financial fraud or identity theft related to this data.” 

The big picture

The incident shows how time-consuming the investigation process can be following a data breach. Often, it takes time for companies to catch the breach and complete their investigation, which is usually done before the organization alerts the Department of Health and Human Services or impacted patients. In this case, it took over a year for patients to be alerted to the breach. 

Delays like this mean patients may unknowingly have their data on the dark web, making them vulnerable to fraud or identity theft. If those events occur, or if there is a significant risk that they may, healthcare organizations may also face lawsuits for negligence. RUMC could likely find themselves investigated, if not sued, in a class action suit. 

With breaches occurring constantly, it’s important for organizations to have the highest level of security as possible. It’s also necessary for organizations to consistently monitor their network for unusual activity. 

Related: HIPAA Compliant Email: The Definitive Guide