Lisa A. Gardner, Ph.D., CPCU, AIC, AIDA, API,
is the Associate Director, Content and Research, at the Risk & Insurance Education Alliance.
On June 1, 2025, Central Maine Healthcare (CMH) discovered unusual activity in its computer network. (Quirk, 2025) They responded by shutting down their computer and phone systems. Predictably, several problems ensued, including scheduling and confirming appointments, accessing records and lab results through patient portals, communicating with physicians, delays in getting prescriptions filled, postponed cancer radiation treatments, and rescheduled elective surgeries, among others. (Saks, 2025), (Rogers, 2025) All three CMH hospitals continued to admit patients and provide some emergency care in their emergency rooms. Patients continued to receive care at their doctors’ offices during the month-long disruption.
According to their website, CMH serves residents of central, mid-coast, and western Maine through three hospitals, a network of primary and specialty care providers, and other healthcare services. (Central Maine Healthcare, 2025) Much of this care happens in or near its headquarters in Lewiston, Maine. Lewiston is the second-largest town in Maine, with a population of 37,121. (Lewiston, Maine, 2025)
This attack marks the second time in four years that a cyberattack has targeted CMH. On June 3, 2022, CMH reported that it had discovered a data breach affecting 11,938 individuals. (Diaz, 2022) To date, CMH has not commented publicly on whether attackers accessed sensitive patient data in the latest cyberattack. If it were, CMH may well face significant litigation by affected patients.
The attacks, both costly to repair, added to CMH’s existing financial problems. Like many hospitals serving smaller communities and rural areas, the system’s flagship hospital ran a sizeable deficit (approximately $19 million) in recent years. (Wright, 2025) In search of additional resources, CMH sought and found a buyer, Prime Healthcare Foundation. Pending regulatory approval, CMH’s acquisition could enhance organizational resilience against future cyberattacks.
CMH is just one of many healthcare organizations that have experienced cyberattacks in recent years. These attacks seem to be escalating, and not just for healthcare organizations. The next attack could target one of your clients.
Help Clients Navigate Emerging Cyber Threats with Up-to-Date Knowledge at Your Own Pace!
The Alliance’s CIC Commercial Multiline self-paced course covers cyber exposures and insurance. Additionally, it addresses crime, employment practices liability, and inland marine exposures and coverages. Completing all five sections of the course qualifies you to take the associated designation exam. Additionally, the course qualifies for designation update credit and continuing education credit in several states.
For more information, see:
References
Central Maine Healthcare. (2025, July 17). About Us. Retrieved from CMHC.org
Diaz, N. (2022, August 4). Central Maine Medical Center data breach affects 11,938 patients. Retrieved from Becker’s Hospital Review.com
Lewiston, Maine. (2025, July 18). Economic & Community Development. Retrieved from LewistonMaine.gov
Quirk, M. (2025, June 2). Central Maine Healthcare shuts down IT systems. Retrieved from WMTW.com
Rogers, B. (2025, June 25). Central Maine Healthcare still working to restore services 25 days after cyber incident. Retrieved from WGME.com
Saks, N. (2025, June 25). System outage at Central Maine Healthcare continues to vex patients. Retrieved from MainePublic.org
Wright, P., & Ogrysko, N. (2025, January 8). California-based nonprofit to purchase Central Maine Healthcare. Retrieved from MainePublic.org
