Maine advances bill requiring hospitals to adopt cybersecurity plans

A bill born out of two 2025 ransomware attacks that disrupted care for roughly one-third of Maine residents has cleared the state House and now faces further votes in the Senate.

What happened

The Maine House of Representatives has voted unanimously to advance LD 2103, An Act Requiring Hospitals to Adopt Cybersecurity Plans, which would mandate that all Maine hospitals develop and maintain a cybersecurity program aligned with federal standards. According to the Maine House Democrats' official press release, the bill was sponsored by Rep. Julia McCabe (D-Lewiston) following two 2025 cyberattacks that struck five Maine hospitals: Covenant Health's St. Mary's Hospital in Lewiston and St. Joseph's Hospital in Bangor, and Central Maine Medical Center's facilities in Lewiston, Bridgton, and Rumford. The Covenant Health attack alone affected 478,188 patients. Combined, the two incidents put approximately one-third of the state's residents at risk. The bill now faces further votes in the House and Senate.

Going deeper

As advanced by the House, LD 2103 requires each hospital to adopt a cybersecurity plan consistent with best practices established by the Department of Homeland Security, CISA, NIST, and the Healthcare and Public Health Sector Coordinating Council. The plan must also comply with HIPAA and be reviewed at least annually. At a minimum, hospitals must have a backup communication response provision to maintain continuity of care during system disruptions, written agreements with other hospitals to facilitate patient transfers, a documented security incident response plan covering both clinical and communications procedures, and a system for incorporating charted medical information into electronic records manually and promptly. Cybersecurity training for hospital employees and board members is required annually, and incident response and downtime procedures must be tested and updated at least once per year. Following any cybersecurity incident, hospitals must review their response and improve procedures accordingly. The bill also includes provisions requiring hospitals to address workplace violence, a provision driven by OSHA data showing healthcare workers are four to five times more likely to suffer injuries from violence than workers in other sectors.

What was said

Rep. McCabe said in the official press release: "Cyberattacks pose a serious risk to our already-fragile health care system. We've already seen how a cyberattack can impact Maine hospitals and leave patients in dire straits. This legislation will help ensure that our hospitals are prepared to deal with these types of incidents, respond promptly and effectively to patient needs, and protect sensitive information." Winfield Brown, president of St. Mary's Hospital, testified in opposition at a public hearing, stating that the hospital had followed all HIPAA-required protective planning measures before the attack and that LD 2103 would add administrative and "duplicative" costs to existing requirements, according to Central Maine.

In the know

The patient impact of the attacks that prompted LD 2103 extended well beyond data exposure. According to DataBreaches.net, the cyberattacks crippled basic communication services and exposed breakdowns in hospital protocols that disrupted care for weeks, including both preventative care and cancer care. One resident testified that her annual checkup with Covenant Health was rescheduled from August 2025 to February 2026. A cancer patient's appointment at Central Maine Healthcare was canceled while she was waiting on pathology results, with no communication for three weeks. Dr. Christian Dameff, a researcher at the UC San Diego Center for Healthcare Cybersecurity, testified that ransomware causes spikes in emergency department volumes, prolonged wait times, and worse outcomes from cardiac arrests.

The big picture

Maine's LD 2103 represents a state-level legislative response to a gap that federal oversight has not fully closed. Paubox has documented this compliance gap directly. According to Paubox's Healthcare IT Is Dangerously Overconfident report, 92 percent of healthcare IT leaders express confidence in their ability to prevent email-based data breaches, yet the same organizations frequently lack formal incident response workflows tied to email risks, a HIPAA violation in itself. The Paubox Hidden Cost of Inaction report found that only 5 percent of known phishing attacks are reported by employees to security teams, and only 4 percent of known HIPAA email violations are reported internally. What LD 2103 proposes at the state level, mandatory incident response plans, backup communication protocols, and annual testing, addresses the same readiness gaps that Paubox's breach analysis has consistently found missing in healthcare organizations that experience cyberattacks.

FAQs

What must a hospital's cybersecurity plan include under LD 2103?

Plans must align with DHS, CISA, NIST, and HSCC best practices, comply with HIPAA, and include a backup communication system, written patient diversion agreements with other hospitals, an incident response plan, and a process to incorporate manual charting into electronic records. Annual review, testing, and staff training are all required.

Why did hospital operators oppose the bill?

St. Mary's Hospital president testified that the facility had already complied with all HIPAA-required cybersecurity measures before the 2025 attack and argued that LD 2103 would impose duplicative administrative costs without necessarily preventing future incidents that sophisticated threat actors can execute despite existing controls.

What is the status of LD 2103?

As of the date of this article, the bill has passed the Maine House unanimously and faces further votes in both chambers before it can be signed into law.

How does the backup communication requirement address what went wrong in the 2025 attacks?

The attacks crippled hospital communication systems entirely, leaving staff unable to contact patients and patients unable to reach providers for weeks. A mandated backup communication plan would require hospitals to maintain an alternative system capable of operating independently of their primary IT infrastructure in the event of a cyberattack.

Does compliance with HIPAA guarantee a hospital is protected from ransomware?

No. The Covenant Health attack, which affected 478,188 patients, occurred despite the hospital reporting it had followed all HIPAA-required protections before the incident. LD 2103 is designed to go beyond HIPAA minimums by requiring tested operational continuity plans and annual response drills that HIPAA does not mandate in the same prescriptive detail.