Northern Light Health said Monday that "limited" patient data may have been stolen in a cyberattack earlier this year. The Brewer-based health care system operates several hospitals across the state, including Eastern Maine Medical Center in Bangor. Credit: Linda Coan O’Kresik / BDN

Northern Light Health announced Monday that patient data may have been stolen by hackers in a ransomware attack on its data storage provider earlier this year.

The health care organization said that, in May, Blackbaud — a South Carolina-based cloud data storage software that primarily serves nonprofits and health care organizations — reported to its customers that hackers may have accessed their information in the hack.

About two months later, Northern Light Health discovered that the potentially stolen data included “limited protected health information,” like patient names, addresses, where and when the patient was treated, along with other personal information, the Brewer-based health care organization said Monday.

Hackers did not access patient credit card or banking information.

Northern Light Health said it is reviewing internal policies and procedures regarding third-party vendors such as Blackbaud, and working with the company directly to protect against future cyberattacks.

In addition to notifying patients and certain regulators whose information may have been stolen, the organization said it reported the cyberattack to the U.S. Department of Health and Human Services, as legally required.

Last year, Acadia Hospital also experienced a security breach after a communications official mistakenly emailed confidential patient names to an editor at the Bangor Daily News.

The list identified 300 patients who had prescriptions for Suboxone, a medication used to treat opioid use disorder.

Along with that, it also contained the identities of the patients’ medical providers — information that is also protected by federal privacy laws that prohibit health care organizations from releasing personal patient data to the public without permission.

Northern Light Health said that no Acadia Hospital information was involved in the hack.

People can get additional information on Northern Light Health’s website.