Who: Acadia Hospital

# of Records/People Affected: 300 Patients

When: 18 April 2019

What happened: A communications official at Northern Light Acadia Hospital in Bangor mistakenly emailed the confidential names of 300 patients.

How Did it happen: The release was an accident that resulted from human error, not a systemic problem with how the hospital secures confidential patient information. The blunder reflects the ongoing vulnerability of sensitive patient information in a digital age, even with rules in place to secure its privacy. It could lead to an audit of the hospital’s privacy and security protocols, and expose it to lawsuits from affected patients. Acadia is required to report the incident to federal regulators. Three hundred names were shared unintentionally. They were shared nonetheless. This never should have happened.

Outcome: Acadia is working with its information technology department to install measures that ensure confidential electronic information doesn’t unintentionally leave the hospital again. And in the meantime, the hospital plans to notify the patients who were affected by the release and to take immediate steps to regain their trust.