Woodfords Family Services Data Breach Affected Almost 42,000 Individuals
Legal counsel for Woodfords Family Services has provided an updated breach notice to the Maine Attorney General, confirming that more individuals were affected by its ransomware attack than previously reported. The initial breach report submitted to the Maine Attorney General on March 27, 2026, stated that 8,073 individuals had been affected; however, a substitute notice has been issued for 33,911 individuals, with 41,984 individuals in total confirmed as affected by the data breach.
March 30, 2026: Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack
Westbrook, Maine-based Woodfords Family Services, a provider of services to individuals with special needs and their families, has notified the Maine Attorney General about a breach of the personal and protected health information of 8,073 individuals in a ransomware attack, including 7,701 Maine residents.
Suspicious network activity was identified on April 8, 2024. The investigation confirmed that its network had been accessed by the Medusa ransomware group. Immediate action was taken to investigate the incident and ensure the security of its systems, and the forensic investigation ended on May 30, 2024. A preliminary breach notice was issued on June 3, 2024, and a media notice was issued on June 7, 2024, to alert individuals potentially affected by the incident. Some notification letters were mailed to individuals in March 2025, although some people have only recently received notification letters.
While the incident was initially investigated internally, Woodfoods Family Services determined that it was unable to identify the full scope of the incident and engaged data mining specialists on September 25, 2024, to confirm the individuals affected and the types of data involved. The initial data mining process took until October 3, 2025, to complete, then the data had to be reviewed internally. The internal review was completed on January 29, 2026, mailing addresses for the affected individuals were verified, and the last of the notification letters were mailed to the affected individuals on March 27, 2026.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Data compromised in the incident included names, Social Security numbers, driver’s license numbers, financial account information, health insurance information, and diagnosis and treatment information. The affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft protection services.
The data breach was reported to the HHS’ Office for Civil Rights in June 2024 using a placeholder figure of at least 500 affected individuals. The total has yet to be updated, although OCR has delayed adding new breach reports to its portal. This is not the first ransomware attack to be experienced by Woodfoods Family Services. An attack on June 19, 2023, involved unauthorized access to the personal information of 17,285 individuals, including the protected health information of 6,691 individuals.
