Active breach tracker Woodsville, NH Disclosed February 6, 2026

Cottage Hospital Data Breach 2026 (Qilin Ransomware): 2,156 New Hampshire Critical Access Hospital Patients and Employees Exposed. What To Do

Cottage Hospital, a 25-bed independent critical access hospital in Woodsville, New Hampshire serving the Connecticut River Valley, was attacked by the Qilin ransomware group in October 2025. Names, Social Security numbers, driver's licenses, and bank account information for ~2,156 individuals exposed (primarily employees and employee-patients). 12 months Experian IdentityWorks offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 14, 2025

Unauthorized access to file server begins (1-week window)

Oct 21, 2025

Unauthorized access window ends

Dec 8, 2025

Hospital learns of the intrusion

Jan 27, 2026

Forensic review completed; breach scope determined

Feb 6, 2026

Notification letters mailed; HHS OCR + NH/VT AG filings

Feb 6, 2026

Disclosed publicly

Feb 9, 2026

Strauss Borrelli announces class action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Bank account information Medical information (for employee-patients) Health insurance information (for employee-patients)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating; announced 2026-02-09)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Cottage Hospital is a 25-bed independent nonprofit critical access hospital in Woodsville, New Hampshire (Grafton County, North Country region). The hospital serves the Connecticut River Valley and Upper Valley on the NH/VT border. Services include ER, inpatient med/surg, surgery, obstetrics, rehab, and rural primary care clinics. Cottage is not part of a larger health system; its service area straddles NH and VT.

Between October 14 and 21, 2025, the Qilin ransomware group accessed a Cottage Hospital file server. The hospital learned of the intrusion on December 8, 2025. The forensic review was completed on January 27, 2026, and Cottage Hospital mailed notification letters and filed with HHS OCR, NH AG, and VT AG on February 6, 2026 — confirming 2,156 affected individuals total.

State-level breakdown per AG filings: 1,138 NH residents, 83 ME residents, 62 MA residents, plus unspecified VT and other-state residents.

Note on the affected count: HHS OCR shows 1,005 individuals for this filing. The discrepancy with the 2,156 total reflects HIPAA scope — the HHS figure covers only the HIPAA-covered (patient-PHI) subset; the larger 2,156 includes employee and non-patient records that fall under state breach notification but not HIPAA.

Qilin is a Russian-affiliated ransomware-as-a-service group active 2022-present, known for healthcare targeting (Synnovis/NHS in 2024, and others). Qilin operates a data-theft plus encryption double-extortion model.

Who was affected

This breach primarily affects current and former Cottage Hospital employees, plus employee-patients (employees who also received care at the hospital). Specifically:

  • Employees and former employees: name, SSN, driver’s license number, bank account information
  • Employee-patients: additionally, medical information and health insurance information

The OCR portal categorization as “Network Server” (rather than EMR) is consistent with the employee-focused exposure — payroll, HR, and direct-deposit records were the primary data store breached.

What was stolen

  • Full name
  • Social Security number
  • Driver’s license number
  • Bank account information
  • Medical information (for employee-patients)
  • Health insurance information (for employee-patients)

What Cottage Hospital is offering

  • 12 months complimentary Experian IdentityWorks — credit monitoring, fraud consultation, identity restoration
  • Enhanced safeguards and employee security training
  • Forensic investigation engaged

What to do

  1. Enroll in Experian IdentityWorks through the activation code in your letter.
  2. Place free credit freezes at Equifax, Experian, TransUnion. Full SSN and driver’s license are in scope.
  3. File IRS Form 14039.
  4. Cancel and reissue any payment methods tied to the bank account information in scope. ACH theft can be rapid when routing/account numbers are exposed — call your bank to flag the account for unusual activity.
  5. Replace your driver’s license if you receive evidence of identity theft using it.
  6. If you are a former Cottage Hospital employee, your records are almost certainly in scope — current employment status does not exclude you.
  7. Stop the ongoing flow of your hospital employment and care data. HealthConsent files HIPAA restriction requests covering employer-as-covered-entity pathways and rural hospital data flows.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.