Woodfords Family Services discloses breach nearly two years after

A Maine nonprofit serving people with disabilities is notifying more than 8,000 individuals of a ransomware attack that occurred in April 2024, raising questions about notification timelines and the vulnerability of smaller healthcare-adjacent organizations.

What happened

Woodfords Family Services, a Westbrook, Maine-based nonprofit that provides clinical, educational, behavioral health, residential, and community support programs for people with disabilities, has disclosed a data breach affecting 8,073 individuals, including 7,701 Maine residents. According to the organization's breach notice filed with the Maine Attorney General, suspicious network activity was discovered on April 8, 2024, with investigators determining that certain files were subject to unauthorized access that same day, along with data staging activities consistent with exfiltration. Notification letters were not mailed to affected individuals until March 27, 2026, nearly two years after the attack occurred. The types of information potentially involved include names, Social Security numbers, driver's license numbers, government identification numbers, passport numbers, dates of birth, financial account information, medical diagnostic and treatment information, and health insurance details.

Going deeper

The nearly two-year gap between the attack and individual notifications shows the intricacy of the data review process rather than a delayed initial response. According to the organization's notice, forensic specialists completed their investigation by May 30, 2024, and a preliminary breach notice was submitted to the HHS on June 3, 2024. However, Woodfords subsequently determined it could not identify the full scope of affected individuals through its own internal review and engaged external data mining specialists on September 25, 2024. The data mining process alone took until October 3, 2025 to complete, more than a year later, followed by further internal review to determine which individuals fell outside HIPAA's scope. The full affected population was not confirmed until January 29, 2026.

What was said

In its breach notice, Woodfords Family Services stated:, "On April 8, 2024, we discovered suspicious activity within our network. We took steps to secure our environment, and forensic specialists were engaged to investigate the nature and scope of the disruption. Our investigation determined that certain files and folders from our network were subject to unauthorized access that same day." The organization added that it began a detailed review of the affected files and confirmed on January 29, 2026, that personal information and protected health information were contained in the data set.

In the know

According to DataBreaches.net, the April 2024 attack was Woodford's second ransomware incident in less than a year. In November 2023, the organization notified the Maine Attorney General of a separate cybersecurity incident affecting 17,285 individuals. HHS closed that earlier investigation, noting Woodfords had experienced a ransomware bot attack and had implemented additional technical and security safeguards in response. The recurrence of a ransomware attack within months of implementing those safeguards, and the subsequent claim by the Medusa ransomware group that it had obtained 198.5 GB of data and posted the organization to its dark web leak site with a $300,000 ransom demand, suggests those safeguards were insufficient against a determined attacker.

The big picture

The Woodfords case indicates a pattern that is common in smaller healthcare and healthcare-adjacent organizations: a breach occurs, remediation steps are taken, and a second breach follows before those steps have materially strengthened the organization's defenses. According to Paubox's What Small Healthcare Practices Get Wrong About HIPAA and Email Security report, healthcare breaches in 2025 took an average of 224 days to detect and another 84 days to contain, a combined timeline of more than ten months. The same report found that one in five small healthcare organizations have no email archiving or audit trail in place, leaving them unable to properly investigate incidents after they occur, and that one third report not having enough time for compliance tasks. These structural constraints make smaller organizations disproportionately exposed to repeat incidents. OCR Director Melanie Fontes Rainer has stated that "every organization, no matter the size, is required to comply with the HIPAA Security Rule" and that "risk assessments are not optional — they're foundational," a standard that applies equally to nonprofits serving vulnerable populations as it does to large hospital systems.

FAQs

Why did it take nearly two years to notify affected individuals?

Woodfords completed its forensic investigation by May 2024 and filed a preliminary HHS notice that same month. However, identifying the full population of affected individuals required external data mining specialists whose work took more than a year to complete. Individual notifications could not be finalized until the internal review of that data was completed in January 2026.

What is the Medusa ransomware group?

Medusa is a ransomware-as-a-service operation that emerged in 2023 and operates using a double extortion model, both encrypting victim systems and threatening to publish stolen data on a dark web leak site unless a ransom is paid. The group posted Woodfords to its leak site in late April 2024 with a $300,000 ransom demand and claimed 198.5 GB of stolen data.

Why are smaller nonprofits particularly vulnerable to repeated ransomware attacks?

Nonprofit organizations providing disability and behavioral health services often operate with constrained IT budgets, smaller security teams, and limited capacity to implement and maintain advanced security controls. When remediation after one attack is insufficient due to resource limitations, the organization remains exposed to follow-on incidents from the same or different threat actors.

What types of individuals were notified under HIPAA versus outside of it?

HIPAA notification applied to the 4,007 Maine residents whose protected health information was involved. An additional 3,695 Maine residents whose personally identifiable information was exposed but whose data fell outside HIPAA's coverage were notified separately under applicable state privacy laws.