The law — which the governor signed in April — is intended to reduce clinical risk and ensure hospital operations continue when a cyber incident happens. This comes after two separate attacks on Maine hospitals in May and June of 2025. Five hospitals, along with an unknown number of outpatient clinics and doctors’ offices, experienced an outage of communications, lifesaving equipment and vital tools.
In response, Maine Rep. Julie McCabe introduced HP 1418. Those attacks impacted at least one-third of the state’s residents, she told the Legislature’s Health and Human Services Committee in February, noting that the full impact is unknown. Outages lasted for weeks, and clinicians lost access to communications systems, forcing a shift to paper processes and in-person workarounds.
Routine care such as cancer screenings were missed, while more complex treatments were canceled when equipment could not operate. Prescription systems went offline, requiring patients to travel to pick up handwritten scripts. Critical technologies like CT scans and newborn monitoring were also unavailable.
McCabe said that “we cannot outrun” cybersecurity threats, and the bill was designed to “harden incident response.”
The new law requires annual cybersecurity training for all staff, annual penetration testing and tabletop exercises, and written cybersecurity incident planning that will be audited each year. It also calls for mutual aid planning among providers, updated paper charting procedures for downtime, and backup communication strategies for continuity of care.
Hospitals are also required to report on incidents dating back to 2024, as a look back will help create future resilience, McCabe said. After-action reports will be required going forward, and the Department of Health and Human Services is tasked with taking any incident-related patient complaints.
Health-care organizations are at the top of cyber attackers’ lists, according to the latest Internet Crime Complaint Center report, as they house a variety of high-value data that can be sold and held for ransom. Maine’s hospitals include nonprofit, community and private hospitals, with strong system consolidation, and the state runs behavioral health hospitals. All operate within state and federal frameworks, and most rely on federal or state funding.
Dr. Christian Dameff of UC San Diego Center for Healthcare Cybersecurity spoke during the public testimony period, saying he was in favor of the Maine legislation. He has researched the topic for more than 15 years.
“The simple reason for [attacks] is that health care is increasingly dependent on critical connected technologies to provide care,” he said. “When patients are fighting deadly infections, suffering from massive trauma or suffering from heart attacks — minutes and sometimes seconds matter.”
He said that criminals are attacking via poor peripheral controls coupled with social engineering through phishing and smishing. They then steal credentials, break into a system and wait for a few weeks to figure out how to make the most money from the attack. They are taking advantage of outdated patching and inconsistent security patches, Dameff said, and the new law can help to lessen cyber risk and its impact.
