Sandhills Medical Foundation Hit by Ransomware Attack, Exposing Sensitive Data of 169,000 Patients
On May 8, 2025, Sandhills Medical Foundation, Inc., a Federally Qualified Health Center serving communities in South Carolina since 1977, detected a ransomware attack on its systems. The nonprofit healthcare provider, which operates in Chesterfield, Kershaw, Lancaster, and Sumter counties, offers primary care, behavioral health, laboratory testing, and other medical services.
After securing its network, Sandhills launched an investigation with cybersecurity experts, confirming that the INC Ransom group had breached its servers and accessed sensitive patient data. The exposed information affecting 169,017 individuals in the U.S., including eight in Maine varied by person but included:
- Dates of birth
- Social Security numbers
- Individual Taxpayer Identification Numbers
- Driver’s licenses and government-issued IDs
- Passport details
- Financial information
- Personal health records
Sandhills has since begun notifying affected individuals as part of its response efforts. Legal firms, including Shamis & Gentile P.A., are investigating potential compensation claims for those impacted by the breach. The incident underscores the ongoing threat of ransomware attacks targeting healthcare providers and the exposure of highly sensitive personal data.
Source: https://www.claimdepot.com/investigations/sandhills-medical-foundation-data-breach-2026
Sandhills Medical cybersecurity rating report: https://www.rankiteo.com/company/sandhills-medical
"id": "SAN1777473388",
"linkid": "sandhills-medical",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '169,017',
'industry': 'Healthcare',
'location': 'Chesterfield, Kershaw, Lancaster, and '
'Sumter counties, South Carolina, USA',
'name': 'Sandhills Medical Foundation, Inc.',
'type': 'Nonprofit Healthcare Provider'}],
'customer_advisories': 'Notifying affected individuals',
'data_breach': {'number_of_records_exposed': '169,017',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Dates of birth',
'Social Security numbers',
'Individual Taxpayer '
'Identification Numbers',
'Driver’s licenses and '
'government-issued IDs',
'Passport details',
'Financial information',
'Personal health records']},
'date_detected': '2025-05-08',
'description': 'On May 8, 2025, Sandhills Medical Foundation, Inc. detected a '
'ransomware attack on its systems. The INC Ransom group '
'breached its servers and accessed sensitive patient data '
'affecting 169,017 individuals. The exposed information '
'included dates of birth, Social Security numbers, financial '
'details, and personal health records. Sandhills has begun '
'notifying affected individuals and is working with '
'cybersecurity experts to investigate the incident.',
'impact': {'data_compromised': 'Sensitive patient data including dates of '
'birth, Social Security numbers, financial '
'information, and personal health records',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'investigation_status': 'Ongoing',
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'INC Ransom'},
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'legal_actions': 'Potential compensation claims '
'being investigated by Shamis & '
'Gentile P.A.'},
'response': {'communication_strategy': 'Notifying affected individuals',
'containment_measures': 'Secured its network',
'third_party_assistance': 'Cybersecurity experts'},
'threat_actor': 'INC Ransom group',
'title': 'Sandhills Medical Foundation Hit by Ransomware Attack, Exposing '
'Sensitive Data of 169,000 Patients',
'type': 'Ransomware'}