A notice by Woodfords Family Services in Maine caught my eye because the name sounded familiar. They provide support services for people with disabilities and their families. On March 27, 2026, they issued a notice:
What Happened? On April 8, 2024, we discovered suspicious activity within our network. We took steps to secure our environment and forensic specialists were engaged to investigate the nature and scope of the disruption. Our investigation determined that certain files and folders from our network were subject to unauthorized access that same day. Out of an abundance of caution, we began a comprehensive review of these files and folders, and confirmed on January 29, 2026 that certain personal information and protected health information (PHI) was contained in the data set.
April 8, 2024? And they are first issuing this notice almost two years later? Well, not exactly. Read on.
What Information Was Involved? The information involved varied by individual, but may have included your first and last name along with a Social Security number, driver’s license number or government identification number, passport number, date of birth, financial account information, medical diagnostic or treatment information, and health insurance information.
Individuals whose information was involved and for whom we had address information were provided written notice on March 27, 2025.
But those for whom they didn’t have address information may first be finding out now.
DataBreaches checked our non-public worksheets and discovered entries for Woodfords Family Services in 2023 and 2024.
In November 2023, Woodfords notified the Maine Attorney General’s Office of an incident affecting 17,285 people, in total, of which 16,862 were Maine residents. They also notified HHS at the time that 6,691 patients had their protected health information involved. HHS’s closing statement following their investigation indicated that no business associate had been involved, and Woodfords had “experienced a ransomware bot attack that affected the protected health information (PHI) of approximately 6,691 individuals.” In response to the breach, Woodfords “implemented additional technical and security safeguards to better protect sensitive data.” A copy of their 2023 notification can still be found on their website.
In April 2024, Woodfords was reportedly successfully attacked again. On June 3, 2024, they notified HHS that 500 patients had been affected, seemingly using a placeholder for the actual number. That number still has not been updated, although Woodfords’ report to Maine indicates that this breach affected 8,073 people, of which 7,701 were Maine residents.
In its closing statement following its investigation, HHS wrote that Woodfords reported it was the subject of a ransomware attack. Once again, in response to the breach, “the CE implemented additional administrative and technical safeguards to better protect its PHI.”
The incident reported to HHS in June 2024 is the incident disclosed in this week’s notification. Although Woodfords claims to have no indication of fraud or identity theft resulting from this incident, they are offering complimentary credit monitoring and identity protection services to individuals whose Social Security numbers were involved.
DataBreaches could not find any ransomware gang claiming responsibility for either of the Woodfords breaches. Nor could we find any data leak. Woodfords’ notices do not mention ransomware and make no mention of whether they had paid any ransom demands.
Click Here For The Original Source.
