Cottage Hospital Data Breach 2026 (Qilin Ransomware): 2,156 New Hampshire Critical Access Hospital Patients and Employees Exposed. What To Do
Cottage Hospital, a 25-bed independent critical access hospital in Woodsville, New Hampshire serving the Connecticut River Valley, was attacked by the Qilin ransomware group in October 2025. Names, Social Security numbers, driver's licenses, and bank account information for ~2,156 individuals exposed (primarily employees and employee-patients). 12 months Experian IdentityWorks offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 14, 2025
Unauthorized access to file server begins (1-week window)
Oct 21, 2025
Unauthorized access window ends
Dec 8, 2025
Hospital learns of the intrusion
Jan 27, 2026
Forensic review completed; breach scope determined
Feb 6, 2026
Notification letters mailed; HHS OCR + NH/VT AG filings
Feb 6, 2026
Disclosed publicly
Feb 9, 2026
Strauss Borrelli announces class action investigation
Oct 14, 2025
Unauthorized access to file server begins (1-week window)
Oct 21, 2025
Unauthorized access window ends
Dec 8, 2025
Hospital learns of the intrusion
Jan 27, 2026
Forensic review completed; breach scope determined
Feb 6, 2026
Notification letters mailed; HHS OCR + NH/VT AG filings
Feb 6, 2026
Disclosed publicly
Feb 9, 2026
Strauss Borrelli announces class action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Cottage Hospital is a 25-bed independent nonprofit critical access hospital in Woodsville, New Hampshire (Grafton County, North Country region). The hospital serves the Connecticut River Valley and Upper Valley on the NH/VT border. Services include ER, inpatient med/surg, surgery, obstetrics, rehab, and rural primary care clinics. Cottage is not part of a larger health system; its service area straddles NH and VT.
Between October 14 and 21, 2025, the Qilin ransomware group accessed a Cottage Hospital file server. The hospital learned of the intrusion on December 8, 2025. The forensic review was completed on January 27, 2026, and Cottage Hospital mailed notification letters and filed with HHS OCR, NH AG, and VT AG on February 6, 2026 — confirming 2,156 affected individuals total.
State-level breakdown per AG filings: 1,138 NH residents, 83 ME residents, 62 MA residents, plus unspecified VT and other-state residents.
Note on the affected count: HHS OCR shows 1,005 individuals for this filing. The discrepancy with the 2,156 total reflects HIPAA scope — the HHS figure covers only the HIPAA-covered (patient-PHI) subset; the larger 2,156 includes employee and non-patient records that fall under state breach notification but not HIPAA.
Qilin is a Russian-affiliated ransomware-as-a-service group active 2022-present, known for healthcare targeting (Synnovis/NHS in 2024, and others). Qilin operates a data-theft plus encryption double-extortion model.
Who was affected
This breach primarily affects current and former Cottage Hospital employees, plus employee-patients (employees who also received care at the hospital). Specifically:
- Employees and former employees: name, SSN, driver’s license number, bank account information
- Employee-patients: additionally, medical information and health insurance information
The OCR portal categorization as “Network Server” (rather than EMR) is consistent with the employee-focused exposure — payroll, HR, and direct-deposit records were the primary data store breached.
What was stolen
- Full name
- Social Security number
- Driver’s license number
- Bank account information
- Medical information (for employee-patients)
- Health insurance information (for employee-patients)
What Cottage Hospital is offering
- 12 months complimentary Experian IdentityWorks — credit monitoring, fraud consultation, identity restoration
- Enhanced safeguards and employee security training
- Forensic investigation engaged
What to do
- Enroll in Experian IdentityWorks through the activation code in your letter.
- Place free credit freezes at Equifax, Experian, TransUnion. Full SSN and driver’s license are in scope.
- File IRS Form 14039.
- Cancel and reissue any payment methods tied to the bank account information in scope. ACH theft can be rapid when routing/account numbers are exposed — call your bank to flag the account for unusual activity.
- Replace your driver’s license if you receive evidence of identity theft using it.
- If you are a former Cottage Hospital employee, your records are almost certainly in scope — current employment status does not exclude you.
- Stop the ongoing flow of your hospital employment and care data. HealthConsent files HIPAA restriction requests covering employer-as-covered-entity pathways and rural hospital data flows.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Vermont AG: Cottage Hospital Data Breach Notice 2026-02-06
- Valley News: Cottage Hospital Data Breach Coverage
- BreachSense: Cottage Hospital Qilin Attribution
- Strauss Borrelli: Cottage Hospital Investigation
- Becker's Hospital Review: NH Hospital Reports Data Breach
- Cottage Hospital Notice of Security Breach (HCAdam-hosted PDF)
- NH AG Security Breach Notifications Index
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.