Coos County Family Health Services Data Breach 2025: 40,185 Patients, RunSomeWarez Ransomware, $750K Settlement
Coos County Family Health Services, a federally qualified health center in Berlin, NH, was hit by the RunSomeWarez ransomware group on July 9, 2025. The incident exposed names, Social Security numbers, dates of birth, contact information, medical record numbers, and treatment information for 40,185 patients. CCFHS reported the breach to HHS OCR on September 5, 2025, mailed notification letters October 9, 2025, and has reached a $750,000 class-action settlement pending final approval.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 9, 2025
Unauthorized actor accessed CCFHS servers and phone systems; suspicious activity detected the same day
Jul 9, 2025
CCFHS detected the intrusion and launched forensic investigation
Aug 12, 2025
Forensic review confirmed unauthorized access to files containing patient PII and PHI
Aug 13, 2025
RunSomeWarez ransomware group claimed responsibility and posted CCFHS on its dark web leak site
Sep 5, 2025
CCFHS filed HIPAA breach notification with HHS OCR (initially listed as 501 individuals — a placeholder)
Sep 26, 2025
Data-review process completed; final affected count of 40,185 confirmed
Oct 9, 2025
CCFHS mailed individual notification letters and filed state AG notices (Maine, Massachusetts, Vermont)
Oct 14, 2025
Lynch Carpenter LLP and other firms announced class-action investigations
Nov 1, 2025
Anastasia Gonzalez-Pennington v. Coos County Family Health Services filed in NH Superior Court, Coos County (No. 214-2025-CV-00093)
Apr 14, 2026
Class-member claim-submission deadline ($5,000 cap plus two years of medical identity-theft monitoring)
May 4, 2026
Final approval hearing held at Coos Superior Court, Lancaster, NH ($750,000 settlement fund)
Jul 9, 2025
Unauthorized actor accessed CCFHS servers and phone systems; suspicious activity detected the same day
Jul 9, 2025
CCFHS detected the intrusion and launched forensic investigation
Aug 12, 2025
Forensic review confirmed unauthorized access to files containing patient PII and PHI
Aug 13, 2025
RunSomeWarez ransomware group claimed responsibility and posted CCFHS on its dark web leak site
Sep 5, 2025
CCFHS filed HIPAA breach notification with HHS OCR (initially listed as 501 individuals — a placeholder)
Sep 26, 2025
Data-review process completed; final affected count of 40,185 confirmed
Oct 9, 2025
CCFHS mailed individual notification letters and filed state AG notices (Maine, Massachusetts, Vermont)
Oct 14, 2025
Lynch Carpenter LLP and other firms announced class-action investigations
Nov 1, 2025
Anastasia Gonzalez-Pennington v. Coos County Family Health Services filed in NH Superior Court, Coos County (No. 214-2025-CV-00093)
Apr 14, 2026
Class-member claim-submission deadline ($5,000 cap plus two years of medical identity-theft monitoring)
May 4, 2026
Final approval hearing held at Coos Superior Court, Lancaster, NH ($750,000 settlement fund)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Coos County Family Health Services, a federally qualified health center serving the North Country of New Hampshire from its Berlin headquarters, was struck by the RunSomeWarez ransomware group on July 9, 2025. The intrusion compromised internal servers and the clinic’s phone system, and over the following weeks forensic investigators determined that an unauthorized actor had accessed — and likely exfiltrated — files containing patient and employee data. 40,185 patients were ultimately affected, including 35,609 New Hampshire residents, 1,222 in Maine, and 365 in Massachusetts. The breach has since been resolved through a $750,000 class-action settlement that received its final approval hearing on May 4, 2026.
Timeline
- July 9, 2025 — CCFHS detected suspicious activity on its servers and phone systems; access and detection occurred the same day.
- August 12, 2025 — Forensic review confirmed that the attacker had accessed files containing patient PII and PHI.
- August 13, 2025 — The RunSomeWarez ransomware crew claimed the attack on its Tor-based leak site and listed CCFHS among its victims.
- September 5, 2025 — CCFHS filed its initial HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights, using the standard 501-individual placeholder while review continued.
- September 26, 2025 — Document review concluded with a final affected count of 40,185.
- October 9, 2025 — Individual notification letters were mailed and substitute notices were filed with the Maine, Massachusetts, and Vermont attorneys general.
- November 2025 — Anastasia Gonzalez-Pennington v. Coos County Family Health Services was filed in New Hampshire Superior Court for Coos County (No. 214-2025-CV-00093).
- April 14, 2026 — Claim-submission deadline for class members.
- May 4, 2026 — Final approval hearing for the $750,000 settlement, held at Coos Superior Court in Lancaster, NH.
What was exposed
According to CCFHS’s substitute notice filed with the Massachusetts Attorney General and the official notification letter sent to affected individuals on October 9, 2025, the exposed information varied by individual but included one or more of the following:
- Full name
- Date of birth
- Contact information (address, phone, email)
- Social Security number
- Driver’s license number
- Financial account information
- Health insurance information
- Medical record numbers and medical identification numbers
- Treatment and diagnosis information
The combination of Social Security number, date of birth, and address makes this a high-severity exposure for identity-theft and synthetic-fraud risk. The presence of treatment and diagnosis data adds medical-identity-theft and discrimination exposure that does not expire when a credit-monitoring offer ends.
Why this matters: an FQHC patient population
Coos County Family Health Services is a federally qualified health center serving Berlin, Gorham, and the surrounding North Country of New Hampshire — one of the most rural, lowest-income, and most medically underserved corners of New England. FQHC patient panels skew toward Medicaid, dual-eligibles, the uninsured, and people who rely on a single trusted clinic for primary care, behavioral health, dental, and reproductive-health services.
That demographic profile changes the stakes of a breach:
- Patients are less likely to have the financial cushion or credit infrastructure to absorb identity-theft losses or fraudulent medical billing.
- Sensitive-care categories such as behavioral health, substance-use treatment, and Title X reproductive-health services are concentrated at FQHCs. Disclosure of treatment records carries acute privacy and discrimination consequences beyond financial fraud.
- Rural patients often have fewer alternatives if they lose trust in their clinic, which makes the breach’s downstream impact on care-seeking and continuity harder to quantify than the dollar value of the settlement.
The $5,000 per-claimant cap and two years of medical identity-theft monitoring in the settlement reflect those heightened risks.
What CCFHS is offering
CCFHS arranged 12 months of complimentary credit monitoring and identity-theft protection through TransUnion’s Cyberscout service for all affected individuals. Enhanced credit-monitoring (including dark-web monitoring and identity-theft insurance) was offered to the subset of individuals whose Social Security numbers, driver’s license numbers, financial account information, or health insurance information were involved.
Twelve months is the industry-standard offer after a healthcare breach of this scope. It is also short relative to the half-life of a Social Security number, which does not change. The class-action settlement adds a second tier of remediation: up to $5,000 in documented out-of-pocket losses or extraordinary time-loss claims, plus two years of medical identity-theft monitoring for class members who submit a valid claim form.
The class action and settlement
Anastasia Gonzalez-Pennington v. Coos County Family Health Services, Inc., Case No. 214-2025-CV-00093, was filed in New Hampshire Superior Court for Coos County in late 2025 and consolidated investigations announced by Lynch Carpenter LLP, Strauss Borrelli PLLC, and Migliaccio & Rathod LLP.
The agreed settlement creates a $750,000 non-reversionary fund with the following key terms:
- Class members may submit a claim for up to $5,000 for documented unreimbursed losses or extraordinary lost-time claims.
- All class members are eligible for two years of medical identity-theft monitoring in addition to the 12 months of credit monitoring CCFHS already provided.
- Objection and opt-out deadline: March 16, 2026.
- Claim-submission deadline: April 14, 2026.
- Final approval hearing: May 4, 2026 at Coos Superior Court, 55 School Street, Suite 301, Lancaster, NH.
- Settlement administration is handled by Kroll Settlement Administration LLC.
The official settlement site is cooscountysettlement.com.
What to do if you may be affected
- Submit your claim. If you received a notification letter and have not yet filed, the claim window has closed (April 14, 2026), but the settlement administrator at Kroll can confirm your class membership and answer questions about late-claim consideration.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the most effective defense against new-account fraud opened with stolen Social Security numbers.
- Activate the offered monitoring. Enroll in both the 12-month TransUnion Cyberscout offering from CCFHS and, if you are a class member, the additional two years of medical identity-theft monitoring from the settlement.
- Review your Explanation of Benefits (EOB) statements from your health insurer for the next 24 months. Charges for procedures or providers you do not recognize can indicate medical identity theft, which is harder to unwind than credit-card fraud.
- Be alert to targeted phishing. Attackers who post stolen data on leak sites also use it to craft convincing follow-on phishing aimed at the same victim list. Be skeptical of unsolicited calls or emails referencing your CCFHS records.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record.
- HIPAA Journal: Cyberattack on Coos County Family Health Services Exposed Patient Data — affected count, dates, and remediation.
- Massachusetts Attorney General: CCFHS Breach Notice (Doc. 2025-1739) — state regulatory filing and substitute notice text.
- Anastasia Gonzalez-Pennington v. Coos County Family Health Services — Official Settlement Site — case caption, deadlines, and settlement terms.
- Paubox: Coos County, NH faces data breach, ransomware group claims responsibility — RunSomeWarez attribution and leak-site posting.
- Lynch Carpenter LLP — Investigation Announcement (GlobeNewswire) — class-action investigation announcement.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Cyberattack on Coos County Family Health Services Exposed Patient Data
- Massachusetts Attorney General — CCFHS Breach Notice (Doc. 2025-1739)
- Anastasia Gonzalez-Pennington v. Coos County Family Health Services — Official Settlement Site
- Paubox — Coos County, NH faces data breach, ransomware group claims responsibility
- Lynch Carpenter LLP — Investigation Announcement (GlobeNewswire)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.