Goodwin University Confirms Ransomware Attack Exposed PII and PHI of Nearly 900 Individuals

Goodwin University, a private nonprofit in East Hartford, Connecticut, detected a network disruption on Dec. 4, 2025. It isolated affected systems and hired cybersecurity investigators. On Dec. 28, 2025, the Qilin ransomware group posted a claim on the dark web’s Tor network, asserting it had stolen university data. An internal review on Jan. 7, 2026 confirmed unauthorized file access, and a full data‑impact assessment concluded on March 20, 2026.

- The breach may have exposed PII: first and last names, addresses, Social Security numbers, driver’s license numbers, state IDs, and passports. - PHI potentially compromised includes health conditions and insurance information. - Affected individuals total 896: 531 Texas residents, 214 Rhode Island residents, and 151 Maine residents. - Notification letters were mailed via U.S. Mail on April 16, 2026. - Goodwin offers 24 months of free single‑bureau credit monitoring, a credit report, and a credit score through Cyberscout (a TransUnion subsidiary). Enrollment must be completed within 90 days of receiving the letter. - A dedicated help line is available at 855‑954‑9474, weekdays 8 a.m.–8 p.m. ET.

The incident illustrates how ransomware groups increasingly pursue double extortion—encrypting systems while exfiltrating sensitive data for leak or sale. For universities handling both student records and health‑clinic information, the overlap of PII and PHI raises regulatory exposure under FERPA, HIPAA, and state breach‑notification laws. The delayed public acknowledgment (over three months after the attack) highlights the importance of rapid internal analysis to meet notification deadlines.

Organizations should: - Apply patches for known vulnerabilities exploited by Qilin, such as CVE‑2023‑28252 (Windows Print Spooler) if relevant, and prioritize Microsoft Patch Tuesday updates. - Enforce multi‑factor authentication on all remote access and privileged accounts. - Deploy email security gateways to block spear‑phishing attachments and links (MITRE ATT&CK T1566.001). - Monitor for suspicious PowerShell or command‑line usage (T1059) and unusual outbound traffic to Tor nodes (T1041). - Maintain offline, encrypted backups and test restoration quarterly to limit ransomware impact. - Implement data‑loss prevention tools to detect exfiltration of PII/PHI files.