Wood River Health (WRH), a Rhode Island-based nonprofit healthcare provider, has disclosed a significant data breach that may have exposed the personal identifiable information (PII) and protected health information (PHI) of 54,926 individuals.
According to a breach notification posted on WRH’s website, the organization discovered on August 8, 2024, that an unauthorized individual accessed an employee email account. The investigation revealed that the account was compromised for nearly a month, from August 8 to September 6, 2024, during which time sensitive data may have been viewed or acquired.
WRH immediately launched an investigation with third-party forensic experts to determine the scope of the incident. After months of reviewing impacted data, the organization concluded its investigation on June 17, 2025.
The data potentially exposed included individuals’ full names, Social Security numbers, dates of birth, driver’s license numbers and passport numbers, financial account details, medical information and health insurance information and employment records.
On July 28, 2025, WRH began sending notification letters to impacted individuals. The notifications outlined which types of information may have been compromised and offered recipients complimentary credit monitoring and identity theft protection services.
Wood River Health (WRH) is a 501(c)(3) nonprofit organization founded in 1976 and headquartered in Hope Valley, Rhode Island. WRH provides full-service medical, dental, and behavioral healthcare to residents across multiple Rhode Island and Connecticut communities, including Westerly, Block Island, Charlestown, Exeter, and Pawcatuck.
As a safety-net provider, WRH serves vulnerable populations, which makes incidents like this especially serious. Email account compromises remain a leading source of healthcare breaches due to the sensitive patient information these accounts often contain.
While WRH has not shared details about how the attacker gained access to the email account, phishing attacks and weak or reused passwords are frequent entry points for hackers. In fact, email remains the number one attack vendor for healthcare data breaches as evidenced by the 2025 Healthcare Email Security Report.
Once the email has been breached, stolen information like Social Security numbers and insurance IDs can be used for medical identity theft or sold on the dark web. Furthermore, even if no misuse is immediately detected, victims may experience fraud months or years after the breach.
In its breach notice to the Maine Attorney General, WRH wrote, “We treat our responsibility to safeguard the information entrusted to us as an utmost priority. As such, we responded immediately to this incident and have been working diligently to provide you with an accurate and complete notice of the incident.”
“Our immediate response to this event also included prompt and continued correspondence with federal law enforcement authorities. As part of our ongoing commitment to the privacy and security of information in our care, we have reviewed our existing policies and procedures relating to data protection and security and implemented enhanced security controls.”
The notice further explained that individuals are being provided with a list of the specific categories of information impacted and are encouraged to take advantage of free credit monitoring services.
Learn more: HIPAA Compliant Email: The Definitive Guide
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.