Ransomware attack exposes information of more than 650,000 individuals from Maine health system

Northern Light Health, a Maine-based healthcare system, suffered a data breach in May that affected 657,392 individuals, according to the Office for Civil Rights (OCR) breach portal.

In a security notice posted on its website, Northern Light Health disclosed that it was one of thousands of health systems affected by a ransomware attack at Blackbaud, a business associate that hosts a database for the Northern Light Health Foundation. According to the security notice, Northern Light Health maintains its electronic health records separate from the foundation.

The affected databases include information about donors, potential donors, individuals who may have attended fundraising events, and patients the healthcare system believed may want to donate in the future according to the security notice.

Blackbaud also posted a security notice to its website indicating that it discovered a ransomware attack in May 2020. Prior to locking the cybercriminal out of the system, a copy of a subset of data was extracted by the cybercriminal. Blackbaud said the data did not include credit card information, bank account information, or social security numbers. In its security notice, Blackbaud said it paid the ransomware demanded by the cybercriminal to have the copy of data destroyed.

Blackbaud informed Northern Light Health of the attack on July 16.

Since being notified, Northern Light Health has worked closely with Blackbaud to gain a full understanding of exactly what information was compromised and which donors and patients were affected.

Northern Light Health said it will reach out to affected individuals.