Active breach tracker Berlin, NH Disclosed September 5, 2025

Coos County Family Health Services Data Breach 2025: 40,185 Patients, RunSomeWarez Ransomware, $750K Settlement

Coos County Family Health Services, a federally qualified health center in Berlin, NH, was hit by the RunSomeWarez ransomware group on July 9, 2025. The incident exposed names, Social Security numbers, dates of birth, contact information, medical record numbers, and treatment information for 40,185 patients. CCFHS reported the breach to HHS OCR on September 5, 2025, mailed notification letters October 9, 2025, and has reached a $750,000 class-action settlement pending final approval.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 9, 2025

Unauthorized actor accessed CCFHS servers and phone systems; suspicious activity detected the same day

Jul 9, 2025

CCFHS detected the intrusion and launched forensic investigation

Aug 12, 2025

Forensic review confirmed unauthorized access to files containing patient PII and PHI

Aug 13, 2025

RunSomeWarez ransomware group claimed responsibility and posted CCFHS on its dark web leak site

Sep 5, 2025

CCFHS filed HIPAA breach notification with HHS OCR (initially listed as 501 individuals — a placeholder)

Sep 26, 2025

Data-review process completed; final affected count of 40,185 confirmed

Oct 9, 2025

CCFHS mailed individual notification letters and filed state AG notices (Maine, Massachusetts, Vermont)

Oct 14, 2025

Lynch Carpenter LLP and other firms announced class-action investigations

Nov 1, 2025

Anastasia Gonzalez-Pennington v. Coos County Family Health Services filed in NH Superior Court, Coos County (No. 214-2025-CV-00093)

Apr 14, 2026

Class-member claim-submission deadline ($5,000 cap plus two years of medical identity-theft monitoring)

May 4, 2026

Final approval hearing held at Coos Superior Court, Lancaster, NH ($750,000 settlement fund)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical record numbers and medical identification numbers Treatment and diagnosis information

03

Contact & insurance

Phishing + targeted scams

Full name Contact information (address, phone, email) Financial account information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP Strauss Borrelli PLLC Migliaccio & Rathod LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Coos County Family Health Services, a federally qualified health center serving the North Country of New Hampshire from its Berlin headquarters, was struck by the RunSomeWarez ransomware group on July 9, 2025. The intrusion compromised internal servers and the clinic’s phone system, and over the following weeks forensic investigators determined that an unauthorized actor had accessed — and likely exfiltrated — files containing patient and employee data. 40,185 patients were ultimately affected, including 35,609 New Hampshire residents, 1,222 in Maine, and 365 in Massachusetts. The breach has since been resolved through a $750,000 class-action settlement that received its final approval hearing on May 4, 2026.

Timeline

  • July 9, 2025 — CCFHS detected suspicious activity on its servers and phone systems; access and detection occurred the same day.
  • August 12, 2025 — Forensic review confirmed that the attacker had accessed files containing patient PII and PHI.
  • August 13, 2025 — The RunSomeWarez ransomware crew claimed the attack on its Tor-based leak site and listed CCFHS among its victims.
  • September 5, 2025 — CCFHS filed its initial HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights, using the standard 501-individual placeholder while review continued.
  • September 26, 2025 — Document review concluded with a final affected count of 40,185.
  • October 9, 2025 — Individual notification letters were mailed and substitute notices were filed with the Maine, Massachusetts, and Vermont attorneys general.
  • November 2025Anastasia Gonzalez-Pennington v. Coos County Family Health Services was filed in New Hampshire Superior Court for Coos County (No. 214-2025-CV-00093).
  • April 14, 2026 — Claim-submission deadline for class members.
  • May 4, 2026 — Final approval hearing for the $750,000 settlement, held at Coos Superior Court in Lancaster, NH.

What was exposed

According to CCFHS’s substitute notice filed with the Massachusetts Attorney General and the official notification letter sent to affected individuals on October 9, 2025, the exposed information varied by individual but included one or more of the following:

  • Full name
  • Date of birth
  • Contact information (address, phone, email)
  • Social Security number
  • Driver’s license number
  • Financial account information
  • Health insurance information
  • Medical record numbers and medical identification numbers
  • Treatment and diagnosis information

The combination of Social Security number, date of birth, and address makes this a high-severity exposure for identity-theft and synthetic-fraud risk. The presence of treatment and diagnosis data adds medical-identity-theft and discrimination exposure that does not expire when a credit-monitoring offer ends.

Why this matters: an FQHC patient population

Coos County Family Health Services is a federally qualified health center serving Berlin, Gorham, and the surrounding North Country of New Hampshire — one of the most rural, lowest-income, and most medically underserved corners of New England. FQHC patient panels skew toward Medicaid, dual-eligibles, the uninsured, and people who rely on a single trusted clinic for primary care, behavioral health, dental, and reproductive-health services.

That demographic profile changes the stakes of a breach:

  • Patients are less likely to have the financial cushion or credit infrastructure to absorb identity-theft losses or fraudulent medical billing.
  • Sensitive-care categories such as behavioral health, substance-use treatment, and Title X reproductive-health services are concentrated at FQHCs. Disclosure of treatment records carries acute privacy and discrimination consequences beyond financial fraud.
  • Rural patients often have fewer alternatives if they lose trust in their clinic, which makes the breach’s downstream impact on care-seeking and continuity harder to quantify than the dollar value of the settlement.

The $5,000 per-claimant cap and two years of medical identity-theft monitoring in the settlement reflect those heightened risks.

What CCFHS is offering

CCFHS arranged 12 months of complimentary credit monitoring and identity-theft protection through TransUnion’s Cyberscout service for all affected individuals. Enhanced credit-monitoring (including dark-web monitoring and identity-theft insurance) was offered to the subset of individuals whose Social Security numbers, driver’s license numbers, financial account information, or health insurance information were involved.

Twelve months is the industry-standard offer after a healthcare breach of this scope. It is also short relative to the half-life of a Social Security number, which does not change. The class-action settlement adds a second tier of remediation: up to $5,000 in documented out-of-pocket losses or extraordinary time-loss claims, plus two years of medical identity-theft monitoring for class members who submit a valid claim form.

The class action and settlement

Anastasia Gonzalez-Pennington v. Coos County Family Health Services, Inc., Case No. 214-2025-CV-00093, was filed in New Hampshire Superior Court for Coos County in late 2025 and consolidated investigations announced by Lynch Carpenter LLP, Strauss Borrelli PLLC, and Migliaccio & Rathod LLP.

The agreed settlement creates a $750,000 non-reversionary fund with the following key terms:

  • Class members may submit a claim for up to $5,000 for documented unreimbursed losses or extraordinary lost-time claims.
  • All class members are eligible for two years of medical identity-theft monitoring in addition to the 12 months of credit monitoring CCFHS already provided.
  • Objection and opt-out deadline: March 16, 2026.
  • Claim-submission deadline: April 14, 2026.
  • Final approval hearing: May 4, 2026 at Coos Superior Court, 55 School Street, Suite 301, Lancaster, NH.
  • Settlement administration is handled by Kroll Settlement Administration LLC.

The official settlement site is cooscountysettlement.com.

What to do if you may be affected

  • Submit your claim. If you received a notification letter and have not yet filed, the claim window has closed (April 14, 2026), but the settlement administrator at Kroll can confirm your class membership and answer questions about late-claim consideration.
  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the most effective defense against new-account fraud opened with stolen Social Security numbers.
  • Activate the offered monitoring. Enroll in both the 12-month TransUnion Cyberscout offering from CCFHS and, if you are a class member, the additional two years of medical identity-theft monitoring from the settlement.
  • Review your Explanation of Benefits (EOB) statements from your health insurer for the next 24 months. Charges for procedures or providers you do not recognize can indicate medical identity theft, which is harder to unwind than credit-card fraud.
  • Be alert to targeted phishing. Attackers who post stolen data on leak sites also use it to craft convincing follow-on phishing aimed at the same victim list. Be skeptical of unsolicited calls or emails referencing your CCFHS records.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.