Two of Maine's biggest healthcare providers recently announced breaches collectively impacting over 50,000 patients.
InterMed P.A., a health provider in Southern Maine disclosed its breach on Tuesday, revealing that attackers got access to one of its employee's email accounts earlier this fall, on September 6. After recruiting a digital forensics firm it was able to determine that three additional employee email accounts were hacked between September 7 and 10, something which led to the compromise of data on 30,000 of its patients. Included in the breach are patient names, dates of birth, health insurance information and clinical information.
Only a limited number of patient Social Security numbers were exposed, according to the company.
InterMed, which has offices in Portland, South Portland, and Yarmouth and specializes in providing healthcare to cardiology, dermatology, OB/GYN, and sports medicine patients, began notifying patients on Tuesday this month.
The news comes about 10 days after Sweetser, a mental health services provider based in Saco but with offices across the state, disclosed a breach of its own. At the end of October, the nonprofit sent letters to 22,000 current and former clients informing them that some of their data, including PHI - protected health information - may have been exposed.
Potentially included in the Sweetser breach are patient names, addresses, dates of brith, telephone numbers, social security numbers, and in some scenarios, health insurance information, driver's license numbers, Medicare or Medicaid information, information on payments or claims the patients have made, and information regarding the patients' medical conditions.
Like the InterMed incident, it appears Sweetser also fell victim to an employee email account hack. Unfortunately, like many, many incidents like this, details on what led to the hack is scant.
According to letters sent to victims, the breach was "limited to information transmitted via email and did not affect any of their other information systems” and occurred from June 18 to June 27. Sweetser discovered the hack on June 27, suggesting it put an end to whatever access the hacker had.
The lapse in discovery to disclosure - roughly four months - can be attributed to the time the company was engaged with the Department of Health and Human Services' Office for Civil Rights, which Sweetser reported the breach to on September 10, following incident response remediation.
While data breaches continue to be an issue for healthcare firms – they cost organizations $6.45 million per breach, according to IBM and Ponemon's 2019 Cost of a Data Breach report - email breaches and phishing attacks remain a top challenge.
According to a study published in the Annals of Internal Medicine last month, most of these breaches – 71 percent - result in the exposure of data that goes on to be used by attackers committing identity theft, a statistic which adds some palpable and in many times fiduciary loss to the breaches.
