Mount Desert Island Hospital breach victim count exceeds 32K


An attack on Mount Desert Island Hospital (MDIH) took the personal data of tens of thousands of the institution’s employees, beneficiaries, and dependents.

While the world is shocked by hackers breaching Las Vegas behemoths like MGM Resorts International and Caesars Entertainment, the cyber plunder of healthcare institutions quietly continues.

MDIH, based in Maine, USA, reached out to victims of a data breach, which exposed the personal identifiable information (PII) of 32,661 individuals, as per the breach notification that the hospital submitted to the Maine Attorney General.

ADVERTISEMENT

According to a letter MDIH sent to people impacted by the breach, attackers roamed its systems between April 28th, 2023, and May 7th, 2023, accessing specific files on the hospital’s network.

A review of impacted systems revealed that attackers accessed a trove of employee and patient data. According to the letter, attackers may have accessed employee names, date of birth, driver’s license/state identification number, Social Security numbers (SSNs), and financial account information.

The list of exposed patient data stretches longer, and apart from the same data points MDIH employees had exposed, include:

  • Addresses
  • Medical record numbers
  • Medicare or Medicaid identification number
  • Mental or physical treatment/condition information
  • Diagnosis code/information
  • Date of service
  • Admission/discharge date
  • Prescription information
  • Billing/claims information
  • Representative or guardian name
  • Health insurance information

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other PII may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

MDIH said that it’s providing individuals impacted by the breach with access to “complimentary credit monitoring and identity protection monitoring” services.

The most recent update of the number of people impacted by the breach is the third time the victim list has been updated, with the first two instances taking place on June 30th and August 17th.

ADVERTISEMENT

“In response to this incident, MDIH conducted a full forensic investigation with the assistance of third-party specialists, changed password strength, implemented new technical safeguards, implemented periodic technical and nontechnical evaluations, bolstered firewall and user access policies, disabled vendor accounts associated with the suspected attack vector, and revised its policies and procedures,” MDIH said in its breach notification letter.