A major cyberattack exposed sensitive patient data at Central Maine Healthcare, impacting over 145,000 individuals, mostly residents of Maine.
Quick Summary – TLDR:
- 145,381 patients and staff affected by a data breach at Central Maine Healthcare (CMH).
- The breach went undetected for over two months from March to June 2025.
- Sensitive data like Social Security numbers and treatment details were exposed.
- CMH is now offering free credit monitoring and has set up a patient support line.
What Happened?
Central Maine Healthcare has confirmed that a cyberattack lasting from March 19 to June 1, 2025 compromised the personal information of 145,381 people, including 138,880 Maine residents. Initially, only eight patients were reported as affected, but deeper investigation uncovered the true scope.
The health system operates several key hospitals in the region, including Central Maine Medical Center in Lewiston, Bridgton Hospital, and Rumford Hospital.
🔴 CENTRAL MAINE HEALTHCARE DATA BREACH 📊
— Isaac Grimaldo (@photogrim_) January 13, 2026
What people saw: A trusted healthcare system serving over 400,000 residents.
What was actually happening: A data breach exposed sensitive information of more than 145,000 individuals over a span of two and a half months.
💻 **The… pic.twitter.com/pUBJ8jdV3m
Breach Timeline and Scope
The data breach remained undetected for more than two months before being discovered in early June 2025. Hackers had unauthorized access to CMH’s systems during this period. The final analysis was completed on November 6, after which the full extent of the incident was disclosed.
Jim Cyr, spokesperson for Central Maine Healthcare, stated:
According to CMH’s public statement, the types of data compromised may vary by individual, but could include:
- Full names
- Dates of birth
- Treatment information
- Dates of service
- Provider names
- Health insurance details
- Social Security Numbers
The breach not only affected current patients but also included former patients and employees, significantly broadening its impact.
Delayed Notifications and Public Concerns
Patients began receiving formal notifications in December 2025, several months after the breach was discovered. CMH stated that it had started notifying affected individuals almost immediately after discovery and continued in phases as more data was reviewed.
The delay has raised concerns, especially given that another health system, Covenant Health, also recently disclosed a breach that affected over 478,000 patients, mostly in Maine. While there’s no confirmed connection between the two incidents, both highlight growing cybersecurity threats in the healthcare sector.
In light of these events, the Office of the Maine Attorney General has received breach reports but declined to comment on investigations. The discrepancy in reporting numbers between initial and final assessments has sparked additional scrutiny.
Support for Affected Individuals
To help those impacted, CMH has set up a dedicated support line at 1-833-397-7918 for questions or to report suspected misuse of personal data. They are also offering free credit monitoring services to minimize the risk of financial fraud.
CMH is advising patients to closely monitor their medical and insurance statements for any suspicious activity and to contact providers or insurers immediately if something looks off.
The Bigger Picture
Healthcare systems are increasingly becoming targets for cybercriminals. Between January 2018 and September 2023, healthcare data breaches surged by 239 percent, according to the HIPAA Journal. With hospitals holding vast amounts of sensitive personal and financial information, the stakes are higher than ever.
SQ Magazine Takeaway
Honestly, this is yet another wake-up call. When health systems get hit, it’s not just IT problems, it’s your health, your identity, and your peace of mind on the line. I don’t know about you, but it’s worrying to think that Social Security numbers and treatment details can just walk out the door in a cyberattack. The fact that this breach went unnoticed for over two months is even more alarming. We need to start treating cybersecurity in healthcare like the patient safety issue it truly is.
