After a barrage of health data breaches, Maine lawmakers are considering a bill that would require hospitals to adopt cybersecurity plans.

The security plans must include a process for hospitals to receive and record incidents and “threats of violent behavior,” according to the bill, LD 2103, which was sponsored by Rep. Julia McCabe, D-Lewiston, along with Democratic representatives from Lewiston, Auburn, Bangor and Durham.

Plans would be submitted annually to the Maine Department of Health and Human Services.

The legislation was born out of data breaches at two major health systems in 2025.

A May cyberattack at Covenant Health, the parent company of St. Mary’s Health System in Lewiston and St. Joseph Healthcare in Bangor, affected the data of more than 478,000 patients, including 285,000 in Maine. Names, Social Security numbers, addresses and treatment details were among the information accessed by an unauthorized party.

A different breach was discovered in June at Central Maine Healthcare, which at the time owned Central Maine Medical Center in Lewiston, hospitals in Bridgton and Rumford, and several other health care facilities. The cyberattack impacted 145,381 patients and “crippled basic communication services,” threatening access to appointments, prescriptions and preventative care, McCabe said at a public hearing on the legislation Tuesday.

Nearly a third of all Mainers were impacted by the breaches, McCabe said, including one Auburn resident who was forced to ration her insulin.

A Greene resident at the hearing spoke for his wife, Anne White, whose June appointment at Central Maine Healthcare was canceled while she was waiting on pathology results for tonsil cancer. She didn’t hear anything for three weeks.

Margaret Craven, a former Lewiston senator, said her annual checkup with Covenant Health was rescheduled from August 2025 to February 2026.

“What is plain is that there were severe breakdowns in patient care caused by the two cyberattacks,” McCabe said. “As I learned about this issue, it became clear to me that this is not a one-off, or some fluke, but part of a trend of bad actors increasingly targeting hospitals.”

Dr. Christian Dameff, who conducts research on patient safety impacts at the UC San Diego Center for Healthcare Cybersecurity, said health care is increasingly dependent on technology to provide care, and when providers can’t access it, patients are harmed.

He said that translates to “huge spikes in emergency department patient volumes, prolonged wait times, record high ambulance diversions and worse outcomes from cardiac arrests when ransomsware occurs.”

Maine already requires businesses to report cyberattacks and notify affected customers within three days.

Under the new bill, cybersecurity plans would not only require timely notification to law enforcement agencies, patients and providers, but also a backup communication response plan, a process for triage and ambulance diversion to ensure continuity of care, a complaint avenue for patients and required cybersecurity training for hospital employees.

Winfield Brown, president of St. Mary’s, testified in opposition to the bill, which he said would add administrative and “duplicative” costs to existing security requirements to protect patient health information under HIPAA.

“The thing is, we at St. Mary’s and our parent organization, Covenant, took all the protective planning measures required by existing federal law prior to our cybersecurity incident, and the attack still took place,” Brown said.

Coming out of last year’s cyberattacks, McCabe said it is still not known “how many appointments were missed, how many prescriptions went unfilled, or how many radiation treatments were missed.”

She said the bill calls for a full analysis of how those attacks impacted patient health. Only then, she said, can hospitals build resilience against future events.

“I think this bill would help prevent the confusion and worry that I and many others experienced during the cyber outage and when we were unable to reach the hospital,” White said.