Cyberattack Disrupts St. Mary’s Health System and Community Clinics in Lewiston, Maine

A cyberattack forced St. Mary’s Regional Medical Center in Lewiston, Maine, and affiliated Community Clinical Services (CCS) to disconnect from all data systems beginning Monday, May 26, 2025. Officials from Covenant Health, the Catholic nonprofit that owns St. Mary’s, confirmed that the incident was caused by an outside group and affected hospitals, clinics and provider practices across the organization. Though CCS became operationally independent last year, it remains tied to Covenant’s IT infrastructure, resulting in parallel disruptions. As a precaution, Covenant shut down systemwide access after detecting irregularities in network connectivity.

The system outage has led to workflow delays at both St. Mary’s and CCS, impacting appointment scheduling, medical records access and prescription services. CCS CEO Coleen Elias said patients should expect longer call wait times but should still attend scheduled appointments and reach out for medication refills or new bookings. St. Mary’s staff have been working manually to maintain patient care operations while cybersecurity experts investigate the incident and work to restore system access. With no timeline for full recovery provided, the attack has renewed concerns about digital vulnerabilities in regional health care systems that serve thousands across central Maine.