Goodwin University Breach Exposes PII and PHI of 896 Residents Across Three States

*TL;DR: Goodwin University suffered a ransomware breach that exposed personal and health information of 896 residents in Texas, Rhode Island and Maine; the school offers two years of free credit monitoring.

Context On Dec. 4, 2025 Goodwin University’s network went down. The university isolated the environment and hired external experts. Four weeks later the Qilin ransomware group claimed responsibility, saying it had posted stolen data on the Tor dark web. An internal review completed on Mar. 20, 2026 confirmed that files containing personally identifiable information (PII) and protected health information (PHI) were accessed without authorization.

Key Facts - The breach affected 531 Texas residents, 214 Rhode Island residents and 151 Maine residents, totaling 896 individuals. - Exposed PII included names, addresses, Social Security numbers, driver’s‑license numbers and passport numbers. Exposed PHI covered health records and insurance details. - Goodwin began mailing notifications on Apr. 16, 2026 and reported the incident to the attorneys general of Maine and Texas. - A 24‑month credit‑monitoring package from Cyberscout (a TransUnion subsidiary) is provided at no cost. Affected persons must enroll within 90 days using a unique code supplied in the letter. - A dedicated call center operates Mon‑Fri, 8 a.m.–8 p.m. ET, at 855‑954‑9474 for support.

What It Means The attack illustrates how ransomware groups leverage stolen data for extortion and secondary profit on underground markets. Qilin’s claim of publishing the data on Tor suggests a dual‑extortion model: encrypting systems while threatening public exposure. The breach also highlights the risk of storing PHI alongside academic records, expanding the regulatory impact under HIPAA (Health Insurance Portability and Accountability Act).

Mitigations – What Defenders Should Do 1. Patch known vulnerabilities – Apply the latest security updates for all network devices and servers; prioritize CVE‑2023‑XXXXX‑related remote code execution flaws often abused by ransomware. 2. Implement network segmentation – Isolate systems that store PII/PHI from general campus networks to limit lateral movement. 3. Deploy multi‑factor authentication – Require MFA for all privileged accounts to block credential‑theft techniques (MITRE ATT&CK T1110). 4. Enable robust backup hygiene – Maintain immutable, offline backups and test restoration procedures quarterly. 5. Monitor for exfiltration – Deploy DLP (data‑loss‑prevention) tools that flag large outbound transfers of sensitive fields such as SSNs or health codes. 6. Conduct phishing simulations – Reduce the likelihood of credential phishing, a common initial access vector for ransomware groups.

Looking Ahead Watch for updates on Qilin’s activity and any legal actions that may reshape ransomware response protocols in the education sector.