Active breach tracker Westbrook, ME Disclosed March 27, 2026

Woodfords Family Services Data Breach 2026 (Medusa Ransomware): 38,061 Maine Developmental-Disability Patients Exposed. Second Ransomware in 18 Months. What To Do

Woodfords Family Services, a Maine nonprofit serving 2,000+ children and adults with autism, intellectual/developmental disabilities, and mental-health diagnoses across 13 counties, disclosed in March 2026 a 2024 Medusa ransomware attack exposing names, SSNs, driver's license, passport, and developmental-disability diagnoses. 38,061 affected. 24-month notification gap. Second ransomware breach in 18 months. 12 months Cyberscout monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 8, 2024

Suspicious activity detected; network secured

Apr 8, 2024

Attacker gained access

May 30, 2024

Forensic investigation confirms data exfiltration

Jun 3, 2024

Preliminary HHS notice filed

Oct 3, 2025

Data-mining concluded after extended review

Mar 27, 2026

Final notification letters mailed; HHS OCR + Maine AG filings (38,061 affected)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Government ID Passport number

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information (autism, IDD, behavioral health)

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Sauder Schelkopf (publicly investigating) Federman & Sherwood (publicly investigating) Migliaccio & Rathod (publicly investigating) Bryson Harris Suciu & DeMay (publicly investigating) Emery Reddy (publicly investigating) Srourian Law (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Woodfords Family Services is a Westbrook, Maine 501(c)(3) nonprofit serving 2,000+ children, youth, and adults with autism, intellectual and developmental disabilities, and mental-health diagnoses across 13 Maine counties. The organization runs clinical, educational, behavioral-health, residential, community, and family-support programs.

On April 8, 2024, Woodfords detected suspicious activity. Forensic investigation closed on May 30, 2024, confirming unauthorized access and data exfiltration. The data-mining review needed to identify affected individuals took 17 months, concluding on October 3, 2025. The final HHS OCR submission and individual notification mailings did not occur until March 27, 2026 — nearly 24 months after the initial intrusion. The Medusa ransomware group has been tied to the exfiltration in industry reporting.

This is Woodfords’s second ransomware breach in 18 months. The prior June 2023 incident affected 17,285 individuals (6,691 with PHI).

What was stolen

  • Full name, date of birth
  • Social Security number
  • Driver’s license number, government ID, passport number
  • Financial account information
  • Health insurance information
  • Medical diagnosis and treatment information

Given Woodfords’s service mix, the diagnosis and treatment information almost certainly includes autism, intellectual / developmental disability, and behavioral-health diagnoses for the affected population. These are among the most stigmatizing PHI categories and disproportionately involve minor patients, who face a long-tail synthetic-identity-theft exposure window since their credit files are unmonitored for years.

What Woodfords is offering

  • 12 months of complimentary credit monitoring and identity-theft protection via Cyberscout (TransUnion)
  • Standard fraud-alert and credit-freeze guidance

What to do

  1. Enroll in Cyberscout through the code in your letter.
  2. Place free credit freezes at all three bureaus, including for any affected minor in your family. (Minors’ credit files can be frozen but require manual outreach to each bureau.)
  3. File IRS Form 14039 to prevent fraudulent tax filings.
  4. Stop the ongoing flow of developmental-disability and behavioral-health data. HealthConsent files HIPAA restriction requests so this stigma-sensitive data is not continuously re-shared by downstream entities.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.