Northern Light Health said Monday that some patient information might have been stolen by hackers, making the announcement a few weeks after the health care organization’s fundraising arm reported that some of its information also was exposed.

The Brewer-based organization, which operates Mercy Hospital in Portland and several other health care facilities throughout Maine, said some “limited protected health information” of patients was potentially stolen by hackers during a ransomware attack on Blackbaud, a South Carolina company that provides cloud data storage and other services primarily to nonprofits. The attack, which began in February and was detected by Blackbaud in May, affected thousands of organizations, including nonprofits in Maine.

The organizations that were affected included the Northern Light Health Foundation, LifeFlight of Maine, The Opportunity Alliance and Maine Cancer Foundation. Most notified donors of the data breach over the summer and said they have not heard any reports of data being misused.

Those groups and Blackbaud have said that the stolen data contained some contact information on donors, but no banking or financial information.

The hackers had stolen some information but had not yet demanded ransom when Blackbaud detected the attack on its system in May. In a ransomware attack, hackers take control of an organization’s computers and demand a ransom payment before handing control back to the owners of the system.

Blackbaud said it blocked the attack once it was discovered, but eventually paid a ransom to avoid having the stolen data sold. It said the hackers assured the company they would destroy the data once they received the ransom and the company and law enforcement officials said they believe it was destroyed because they have been unable to find any of the information being sold on the black market.

Northern Light Health said its investigation indicates that patient names, addresses, phone numbers, email addresses, date of birth, the hospital where the patient was treated, date of treatment and possibly the department where the patient was treated might have been stolen from Blackbaud. Northern Light’s notification said no credit card or bank account information was accessed.

Northern Light said it notified the federal Department of Health and Human Services of the data breach because it involved personal health care information, and the organization said it has been working with Blackbaud to “evaluate additional measures and safeguards to protect against this type of incident in the future.”

The organization said patients should be wary of attempted identity theft or fraud by reviewing any “explanation of benefits” forms received from insurers and to be careful if anyone uses their medical history to validate requests for personal or financial information.


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.