Central Maine Healthcare data breach exposed information of more than 145,000 people

A cyber intrusion at Central Maine Healthcare last year exposed sensitive personal and medical information of more than 145,000 patients and employees after attackers maintained unauthorized access to the organization’s systems for more than two months.

Central Maine Healthcare, an integrated healthcare delivery system serving at least 400,000 people across Maine, detected the intrusion on June 1 after attackers had been present in its network since March 19. The organization manages several hospitals, including Central Maine Medical Center, Bridgton Hospital, and Rumford Hospital.

An internal investigation determined that the incident potentially affected both patients and current and former employees. Notifications to impacted individuals began soon after the breach was identified and continued as the review uncovered additional affected records. The investigation concluded on Nov. 6, 2025, confirming that 145,381 individuals were impacted.

In a statement issued Dec. 29, Central Maine Healthcare said the exposed information varied by individual but may have included full names, dates of birth, treatment details, dates of service, provider names, health insurance information, and Social Security numbers.

The organization warned that individuals whose information was involved face an increased risk of phishing, impersonation, and financial fraud. Central Maine Healthcare advised patients to carefully review statements from healthcare providers and insurance plans and to report any services they do not recognize immediately.

To support those affected, the healthcare system established a dedicated patient support line to answer questions, receive reports of potential data misuse, and address concerns related to the breach. Central Maine Healthcare is also offering free credit monitoring services to help reduce the risk of financial fraud.

The organization has not disclosed details about the attackers or the method used in the breach, and no public claims of responsibility had been identified at the time the disclosure was made.