TL;DR: Central Maine Healthcare had hackers living in their network for 74 days, March 19 to June 1, 2025. They originally reported only 8 patients affected. On January 12, 2026, they filed with the Maine Attorney General: actually, it's 145,381 people. SSNs, medical records, insurance information, treatment details: all potentially stolen. The healthcare system serves 400,000 Mainers. If you've been a patient or employee at Central Maine Medical Center, Bridgton Hospital, or Rumford Hospital, your data is likely compromised.

What Happened

Here's a timeline that should make you angry:[1]

  • March 19, 2025: Hackers gain access to Central Maine Healthcare systems
  • 74 days of access: Attackers roam freely through the network
  • June 1, 2025: CMH finally discovers the intrusion
  • July 31, 2025: First round of notifications sent
  • November 6, 2025: Investigation completed
  • December 29, 2025: Public statement issued
  • January 12, 2026: Filed with Maine AG: 145,381 people affected

For over two months, attackers had the run of a healthcare system serving 400,000 people. That's not a breach. That's a residency.

The Numbers Game

Central Maine Healthcare initially reported just 8 patients affected.

Eight.

Then, seven months later, they quietly updated that figure to 145,381.[2]

That's an 18,172x increase in reported victims. It's a number so ridiculous it reads like a typo.

The breakdown:

  • 145,381 total individuals affected
  • 138,800 Maine residents specifically identified
  • Patients and employees both included

What happened between "8 people" and "145,381"? Either they massively underestimated the initial scope, or they weren't looking very hard.

What Was Stolen

Medical breaches are uniquely terrible because they combine identity data with health data. This one includes:[3]

Social Security Numbers

The classic identity theft enabler. Never changes, never expires, always valuable.

Medical Treatment Details

What conditions you have, what procedures you've had. Private health information now exposed.

Provider Names & Service Dates

Who treated you and when. Useful for insurance fraud and impersonation.

Health Insurance Information

Policy numbers, coverage details. Enables fraudulent medical billing.

Dates of Birth

Combined with SSN and name, completes the identity theft trifecta.

Who Is Affected

Central Maine Healthcare operates:

  • Central Maine Medical Center in Lewiston
  • Bridgton Hospital
  • Rumford Hospital
  • 40+ primary and specialty care locations

If you've been a patient at any of these facilities, or if you've worked there, your data may be compromised. The affected information varies by individual (not everyone had the same data exposed) but the potential scope is massive.

The Healthcare Pattern

This breach follows a depressingly familiar pattern in healthcare:

  1. Attackers get in
  2. They stay in for weeks or months
  3. Discovery happens by accident or external tip
  4. Initial victim count is laughably low
  5. Months later, the real numbers emerge
  6. Victims get offered 12-24 months of credit monitoring

We've seen this script play out with Community Health Center (1 million patients), Change Healthcare (100+ million), and now Central Maine Healthcare.[4]

Healthcare organizations are sitting ducks. They have massive amounts of sensitive data, often running on outdated systems, with security budgets that don't match the threat. And attackers know it.

What CMH Is Doing

Central Maine Healthcare says they:

  • Are notifying affected individuals in waves
  • Have set up a dedicated patient support line: 833-397-7918
  • Are offering free credit monitoring services
  • Recommend patients "review statements from healthcare providers"

That last bit is important. Medical identity theft means someone might be getting treatment in your name. Review your healthcare statements for services you didn't receive.

What To Do If You're Affected

Freeze Your Credit

All three bureaus: Equifax, Experian, TransUnion. Free and blocks new account fraud.

Take the Free Monitoring

CMH is offering credit monitoring. Enroll immediately, and don't let it expire unused.

Review Medical Statements

Watch for services, prescriptions, or equipment you didn't receive. That's medical identity theft.

Request Your Medical Records

Ask for itemized records from CMH. Look for unfamiliar entries or providers.

Consider an IRS PIN

SSN theft leads to tax fraud. Apply for an Identity Protection PIN from the IRS.

Call the Support Line

833-397-7918, Monday-Friday, 8 AM - 8 PM ET. Document everything.

The Bottom Line

Hackers had 74 days inside a healthcare network. They originally said 8 people were affected. It was actually 145,381.

If you've ever received care in central, western, or mid-coast Maine, assume your data is compromised. Don't wait for a notification that might never come. Freeze your credit now. Monitor your medical statements. Watch for signs of identity theft.

Healthcare systems keep failing at basic security, and patients keep paying the price. Your medical records are worth more than your credit card on the dark web, and apparently, they're easier to steal.

References

  1. BleepingComputer - Central Maine Healthcare Breach Exposed Data of Over 145,000 People
  2. SecurityWeek - Central Maine Healthcare Data Breach Impacts 145,000 Individuals
  3. Maine Public - Data Breach Last Year at Central Maine Healthcare
  4. Bangor Daily News - Central Maine Healthcare Data Breach
  5. WGME - CMH Breach Affects 145,000 More People Than Initially Reported