Woodfords Family Services Data Breach 2026 (Medusa Ransomware): 38,061 Maine Developmental-Disability Patients Exposed. Second Ransomware in 18 Months. What To Do
Woodfords Family Services, a Maine nonprofit serving 2,000+ children and adults with autism, intellectual/developmental disabilities, and mental-health diagnoses across 13 counties, disclosed in March 2026 a 2024 Medusa ransomware attack exposing names, SSNs, driver's license, passport, and developmental-disability diagnoses. 38,061 affected. 24-month notification gap. Second ransomware breach in 18 months. 12 months Cyberscout monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 8, 2024
Suspicious activity detected; network secured
Apr 8, 2024
Attacker gained access
May 30, 2024
Forensic investigation confirms data exfiltration
Jun 3, 2024
Preliminary HHS notice filed
Oct 3, 2025
Data-mining concluded after extended review
Mar 27, 2026
Final notification letters mailed; HHS OCR + Maine AG filings (38,061 affected)
Apr 8, 2024
Suspicious activity detected; network secured
Apr 8, 2024
Attacker gained access
May 30, 2024
Forensic investigation confirms data exfiltration
Jun 3, 2024
Preliminary HHS notice filed
Oct 3, 2025
Data-mining concluded after extended review
Mar 27, 2026
Final notification letters mailed; HHS OCR + Maine AG filings (38,061 affected)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Woodfords Family Services is a Westbrook, Maine 501(c)(3) nonprofit serving 2,000+ children, youth, and adults with autism, intellectual and developmental disabilities, and mental-health diagnoses across 13 Maine counties. The organization runs clinical, educational, behavioral-health, residential, community, and family-support programs.
On April 8, 2024, Woodfords detected suspicious activity. Forensic investigation closed on May 30, 2024, confirming unauthorized access and data exfiltration. The data-mining review needed to identify affected individuals took 17 months, concluding on October 3, 2025. The final HHS OCR submission and individual notification mailings did not occur until March 27, 2026 — nearly 24 months after the initial intrusion. The Medusa ransomware group has been tied to the exfiltration in industry reporting.
This is Woodfords’s second ransomware breach in 18 months. The prior June 2023 incident affected 17,285 individuals (6,691 with PHI).
What was stolen
- Full name, date of birth
- Social Security number
- Driver’s license number, government ID, passport number
- Financial account information
- Health insurance information
- Medical diagnosis and treatment information
Given Woodfords’s service mix, the diagnosis and treatment information almost certainly includes autism, intellectual / developmental disability, and behavioral-health diagnoses for the affected population. These are among the most stigmatizing PHI categories and disproportionately involve minor patients, who face a long-tail synthetic-identity-theft exposure window since their credit files are unmonitored for years.
What Woodfords is offering
- 12 months of complimentary credit monitoring and identity-theft protection via Cyberscout (TransUnion)
- Standard fraud-alert and credit-freeze guidance
What to do
- Enroll in Cyberscout through the code in your letter.
- Place free credit freezes at all three bureaus, including for any affected minor in your family. (Minors’ credit files can be frozen but require manual outreach to each bureau.)
- File IRS Form 14039 to prevent fraudulent tax filings.
- Stop the ongoing flow of developmental-disability and behavioral-health data. HealthConsent files HIPAA restriction requests so this stigma-sensitive data is not continuously re-shared by downstream entities.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Woodfords Family Services: Notice of Data Security Incident
- Woodfords Family Services Homepage
- HIPAA Journal: Woodfords Ransomware Coverage
- Paubox: Woodfords Discloses Breach Nearly Two Years After
- Maine AG: Woodfords Family Services Filing
- Vermont AG: Woodfords Filing
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.