Healthcare Security Intelligence

Aroostook Mental Health Center (AMHC) experienced a data event where its network was accessed between March 11th and March 12th, 2026, resulting in the unauthorized taking of certain files containing personal information. AMHC discovered the disruption on March 12th and immediately took action to secure its network, working with specialists to investigate and restore systems. A comprehensive review is ongoing to determine the full scope of the breach and identify affected individuals. AMHC plans to notify affected Maine residents and will offer 12 months of complimentary credit monitoring and identity protection services.

CardioFit Medical Group, Inc. disclosed a data breach on January 8, 2026, where protected health information was sent via email without encryption in January and/or February of 2026. The exposed data may include name, demographic details, clinical information (including diagnosis), and insurance information. Social Security numbers, bank account details, and credit card information were not included. The company discovered the issue on February 17, 2026, and has since strengthened email encryption procedures and provided additional staff training.

DermCare Management disclosed a data breach on February 14, 2025, after becoming aware of suspicious activity on their computer systems on February 26, 2025. An investigation revealed that certain patient files were accessed or taken without authorization between February 14, 2025, and February 26, 2025. The company took steps to secure its network and is offering complimentary credit monitoring and identity restoration services through Epiq.

Option Care Health, Inc. experienced a data breach when an employee's email account was accessed without authorization between February 6, 2026, and February 9, 2026. The investigation revealed on February 26, 2026, that certain protected health information was accessed. The affected data may include individuals' names, dates of birth, medical record numbers, and/or treatment information. While there is no evidence of misuse, the company is taking steps to enhance security and is notifying affected individuals.

Woodfords Family Services, a provider of specialized clinical, educational, and behavioral services for individuals with disabilities, experienced a ransomware event on April 8, 2024, caused by the actor group Medusa. The incident resulted in unauthorized access to their network and data exfiltration. An investigation determined that the personal identifiable information of 7,701 Maine residents was affected, with 3,695 being non-residents and 4,006 being current or former Woodfords residents notified under HIPAA. Substitute notice was also provided for individuals whose addresses were unknown. The total number of affected individuals is 41,984, including 33,911 individuals for whom substitute notice was issued.

Heart South Cardiovascular Group disclosed a cybersecurity incident on April 6, 2026, affecting 46,666 records. The incident occurred around November 11, 2025, when an unauthorized party claimed to possess Heart South data. While an investigation did not find evidence of unauthorized network access or data theft, it was discovered that a limited amount of data was posted on the dark web. The company discovered on February 12, 2026, that patient information, including name, address, date of birth, and Social Security number, was on the affected systems. Heart South is offering complimentary identity monitoring services through Kroll to affected individuals.

Hims & Hers, Inc. experienced a data security incident involving their third-party customer service platform. Between February 4, 2026, and February 7, 2026, certain customer service tickets were accessed or acquired without authorization. The investigation identified that personal information, including name and contact information, related to a limited set of individuals was present in these tickets. Medical records and communications with healthcare providers were not impacted. The company is offering 12 months of complimentary credit monitoring and identity restoration services through Cyberscout and has notified federal law enforcement.

Nacogdoches Memorial Hospital disclosed a data breach affecting 257,073 individuals.

Windels Marx Lane & Mittendorf, LLP experienced unauthorized access to its computer network on September 11, 2025, resulting in the unauthorized taking of certain files. A subsequent investigation determined that personal information, including name, Social Security number, and financial account information, may have been compromised. The firm has notified affected individuals, including one resident of Maine, and is offering 12 months of credit monitoring services through TransUnion. They have also notified federal law enforcement and are implementing additional security safeguards and employee training.

Central Maine Healthcare disclosed a data breach affecting approximately 145,000 individuals. The health system filed notification with the Maine Attorney General on January 15, 2026.

Cottage Hospital disclosed a data breach affecting 2,156 individuals after an unauthorized party accessed its network between October 14-21, 2025. Both employee data (SSNs, bank accounts) and patient medical records were exposed.

The Counseling Center of Wayne and Holmes Counties disclosed a data breach affecting 83,354 individuals. As a mental health provider, the exposure of sensitive behavioral health records raises heightened privacy concerns under HIPAA and 42 CFR Part 2.

Jackson Hospital and Clinic disclosed a data breach affecting 14,485 individuals caused by unauthorized access at third-party vendor Nationwide Recovery Services. The breach occurred between July 5-15, 2024 but was not disclosed until February 27, 2026.

Nova Biomedical Corp experienced a sophisticated cyberattack on July 22, 2025, with malware deployment that disrupted the medical device manufacturer's operations and exposed data of 10,764 individuals.

WIRX Pharmacy experienced unauthorized access to its computer environment on December 6-7, 2025, exposing names and Social Security numbers of 20,104 individuals. The pharmacy followed proper HIPAA notification procedures including HHS and media notification.