A vendor providing sleep disorder diagnostic services has reported a major data breach affecting patients at three Maine hospitals. The company, Compumedics, experienced a security intrusion that occurred between the middle of February and late March 2025. This incidents impacted patients who were seen at Northern Light Eastern Maine Medical Center and two other system hospitals. Compumedics provides specialized diagnostic services for health system patients who have been referred for sleep disorder evaluations. The unauthorized party was able to access or exfiltrate sensitive files during the extended period of the security intrusion.
The company subsequently filed reports with attorneys general in both Massachusetts and Maine at the beginning of May. Interestingly, these initial reports to the states did not indicate that any protected medical information was actually involved. An undated notice on the company’s website later provided much more comprehensive details about the security incident. The company has not stated how the intruder gained access or if any extortion demand has been made.
Compumedics first detected the breach on March 22 and later notified its healthcare provider clients on April 29.
The compromised patient files contained names, dates of birth, demographic information, and unique medical record identification numbers. They also included specific treatment and diagnosis information, dates of treatment, provider names, and detailed sleep study results. For a small subset of the individuals whose information was unfortunately involved, the files may have contained their Social Security numbers. Health officials at Northern Light Health do not believe that their patients’ financial or health insurance information was involved.
This significant data breach has exposed a wealth of very sensitive personal and protected medical health information.
The internal information technology systems at Northern Light Health were not directly affected by this third-party data breach. Compumedics has since worked to improve its overall data security and is advising patients to review their documents. They recommend monitoring for any suspicious charges for medical services that they did not actually receive from providers. Anyone who was directly affected by this security breach has been notified by mail sent out by the company. A dedicated helpline is available for any patients who have additional questions or specific concerns about this incident.
Reference:
