Lawmakers urge narrow public‑records carve‑out as they review hospital cybersecurity bill
March 17, 2026 | 2026 Legislature ME, Maine
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The legislature’s Judiciary Committee reviewed LD 2103 — a bill from the Health and Human Services Committee requiring hospitals to adopt written cybersecurity plans, annual external audits, penetration testing, continuous vulnerability scanning and tabletop exercises — and urged narrower public‑records language for portions of the plans and audit summaries.
Sponsor Representative Julie McCabe said the bill responds to two cyber intrusions last spring that disabled electronic health records and some clinical technologies at five Maine hospitals. "A dedicated cybersecurity plan that hospitals would be required to write" was a central part of the bill, McCabe said, including independent audits and post‑attack reporting.
Committee analysts and the Department of Health and Human Services director walked members through the Freedom‑of‑Access Act rubric to evaluate whether cybersecurity plans and high‑level audit summaries should be confidential if submitted to the department. Members and agency witnesses agreed many operational details — penetration‑test results, continuous vulnerability scans, tabletop exercise details, triage procedures and the specifics of backup communications — are legitimately sensitive and, if publicly released, could enable bad actors to exploit weaknesses. At the same time, several legislators said the public should be able to know that a hospital has a plan, conducts training and performs tests; those requirements could remain public while the underlying technical details are exempted.
The committee voted unanimously in its public‑records review to recommend that the HHS committee narrow the proposed exception and consider language patterned on existing FOA provisions (the committee suggested looking to 1 M.R.S. §402(3), paragraphs l and m) to ensure the exception is "narrowly tailored." The department emphasized that while audit results and plans should remain confidential, compliance failures and corrective‑action requirements would be public if a hospital failed to meet statutory obligations.
What happens next: The Judiciary Committee’s recommendation accompanies the HHS package as it moves through the Legislature; sponsors and agency staff will be asked to craft a more narrowly tailored public‑records exception and to identify which plan elements must remain confidential to avoid creating security risks.
Sponsor Representative Julie McCabe said the bill responds to two cyber intrusions last spring that disabled electronic health records and some clinical technologies at five Maine hospitals. "A dedicated cybersecurity plan that hospitals would be required to write" was a central part of the bill, McCabe said, including independent audits and post‑attack reporting.
Committee analysts and the Department of Health and Human Services director walked members through the Freedom‑of‑Access Act rubric to evaluate whether cybersecurity plans and high‑level audit summaries should be confidential if submitted to the department. Members and agency witnesses agreed many operational details — penetration‑test results, continuous vulnerability scans, tabletop exercise details, triage procedures and the specifics of backup communications — are legitimately sensitive and, if publicly released, could enable bad actors to exploit weaknesses. At the same time, several legislators said the public should be able to know that a hospital has a plan, conducts training and performs tests; those requirements could remain public while the underlying technical details are exempted.
The committee voted unanimously in its public‑records review to recommend that the HHS committee narrow the proposed exception and consider language patterned on existing FOA provisions (the committee suggested looking to 1 M.R.S. §402(3), paragraphs l and m) to ensure the exception is "narrowly tailored." The department emphasized that while audit results and plans should remain confidential, compliance failures and corrective‑action requirements would be public if a hospital failed to meet statutory obligations.
What happens next: The Judiciary Committee’s recommendation accompanies the HHS package as it moves through the Legislature; sponsors and agency staff will be asked to craft a more narrowly tailored public‑records exception and to identify which plan elements must remain confidential to avoid creating security risks.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
