Woodfords Data Breach Exposes PII and PHI of 8,073 Individuals

Woodfords Family Services, a Maine-based nonprofit organization that provides support programs for people with disabilities, has disclosed a data breach that affected approximately 8,073 individuals in the United States, including 7,701 Maine residents.

Woodfords Family Services discovered the breach on April 8, 2024, and notified consumers on March 27, 2026. A preliminary notice was submitted to the U.S. Department of Health and Human Services on June 3, 2024.

The breach was disclosed to the Maine Attorney General on March 27, 2026. The organization also posted a notice on its website about the incident.

What happened in the Woodfords Family Services data breach

On April 8, 2024, Woodfords discovered suspicious activity within its network.

The investigation determined that the organization's systems were subject to unauthorized access that same day. Investigators also identified data staging and activities typically associated with data exfiltration, meaning files may have been copied and removed from the network.

On April 29, 2024, the Medusa ransomware group posted a claim on the Tor dark web network stating it had access to 198.5 GB of the organization's data. The group threatened to publish the stolen data within nine to 10 days and provided sample screenshots on its dark web portal.

Woodfords engaged forensic specialists to investigate the nature and scope of the attack, which concluded on May 30, 2024. The organization then began a comprehensive internal review to identify what data was potentially affected and to determine whom it belonged to.

When Woodfords determined it could not identify the full scope of the incident through its own internal process, it brought in data mining specialists on Sept. 25, 2024. The initial data mining process did not conclude until Oct. 3, 2025, more than a year later.

The resulting data then required further internal review to determine whether any affected individuals fell outside the scope of the federal health privacy law known as HIPAA.

On Jan. 29, 2026, Woodfords confirmed that the affected population included the personally identifiable information (PII) of 3,695 Maine residents, in addition to 4,007 Maine residents whose protected health information (PHI) was involved and who were being notified under HIPAA.

The types of information exposed varied by individual but may have included names, Social Security numbers, driver's license numbers, government identification numbers, passport numbers, dates of birth, financial account information, medical diagnostic or treatment information, and health insurance information.

Woodfords Family Services' response to the breach

The organization is offering 12 months of complimentary single bureau credit monitoring, fraud consultation and identity theft restoration services through Cyberscout, a TransUnion company. These services are available to individuals whose Social Security numbers were included in the affected data set. Individuals must enroll within 90 days of the date of their notification letter to receive these services.

Woodfords has set up a dedicated call center to answer questions and assist with fraud consultation and credit monitoring enrollment. The call center can be reached at 1-833-877-8966, Monday through Friday from 8 a.m. to 8 p.m. Eastern Time, excluding major U.S. holidays.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with the three major credit bureaus: Equifax (1-888-298-0045), Experian (1-888-397-3742) and TransUnion (1-800-680-7289).
• Request free credit reports at AnnualCreditReport.com or by calling 1-877-322-8228, and review them carefully for any accounts or inquiries that look unfamiliar.
• Monitor financial account statements closely for unauthorized transactions, and contact the financial institution right away if anything looks suspicious.
• Review medical records and insurance statements for any services, prescriptions or claims not recognized, which could be signs of medical identity theft.
• Be cautious of phishing attempts that reference Woodfords Family Services or this data breach by name, as scammers sometimes use real breach notifications to trick people into sharing more personal information.
• Report suspected identity theft to the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338.