Woodfords Data Breach Exposes PII and PHI of 41k Individuals

Woodfords Family Services, a Maine-based nonprofit organization that provides support programs for people with disabilities, has disclosed a data breach that affected 41,984, previously 8,073, individuals in the United States, including 7,701 Maine residents, 75 New Hampshire residents, and 50 Massachusetts residents.

A preliminary notice was submitted to the U.S. Department of Health and Human Services on June 3, 2024. On March 27, 2026, the HHS disclosed that a total of 38,061 individuals had their protected health information compromised.

On April 29, 2024, the Medusa ransomware group posted a claim on the Tor dark web network stating it had access to 198.5 GB of the organization's data. The group threatened to publish the stolen data within nine to 10 days and provided sample screenshots on its dark web portal.

Woodfords engaged forensic specialists to investigate the nature and scope of the attack, which concluded on May 30, 2024. The organization then began a comprehensive internal review to identify what data was potentially affected and to determine whom it belonged to.

When Woodfords determined it could not identify the full scope of the incident through its own internal process, it brought in data mining specialists on Sept. 25, 2024. The initial data mining process did not conclude until Oct. 3, 2025, more than a year later.

The types of information exposed varied by individual but may have included names, Social Security numbers, driver's license numbers, government identification numbers, passport numbers, dates of birth, financial account information, medical diagnostic or treatment information, and health insurance information.

The breach was disclosed to the attorneys general of Maine, the Massachusetts, the New Hampshire, and the Vermont starting on March 27, 2026. Additionally, an amended notice was filed with the Maine Attorney General on April 7, 2026, updating the number of total individuals affected.

The organization also posted a notice on its website about the incident.

Woodfords Family Services' response to the breach

The organization is offering 12 months of complimentary single bureau credit monitoring, fraud consultation and identity theft restoration services through Cyberscout, a TransUnion company.

These services are available to individuals whose Social Security numbers were included in the affected data set. Individuals must enroll within 90 days of the date of their notification letter to receive these services.

Woodfords has set up a dedicated call center to answer questions and assist with fraud consultation and credit monitoring enrollment. The call center can be reached at 1-833-877-8966, Monday through Friday from 8 a.m. to 8 p.m. Eastern Time, excluding major U.S. holidays.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with the three major credit bureaus: Equifax (1-888-298-0045), Experian (1-888-397-3742) and TransUnion (1-800-680-7289).
• Request free credit reports at AnnualCreditReport.com or by calling 1-877-322-8228, and review them carefully for any accounts or inquiries that look unfamiliar.
• Monitor financial account statements closely for unauthorized transactions, and contact the financial institution right away if anything looks suspicious.
• Review medical records and insurance statements for any services, prescriptions or claims not recognized, which could be signs of medical identity theft.
• Be cautious of phishing attempts that reference Woodfords Family Services or this data breach by name, as scammers sometimes use real breach notifications to trick people into sharing more personal information.
• Report suspected identity theft to the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338.