Sandhills Medical Foundation, a federally qualified health center (FQHC) in South Carolina, disclosed that a May 2025 Inc Ransom ransomware attack compromised the protected health information (PHI) and personally identifiable information (PII) of 169,017 patients. The organization filed its breach notification with the Maine Attorney General on April 28, 2026 — nearly eleven months after discovering the intrusion.
Sandhills Medical Ransomware Breach: What We Know So Far
Sandhills Medical Foundation detected unauthorized access to its network on May 8, 2025. An attacker had accessed the company’s servers directly and exfiltrated patient data before deploying ransomware. On June 3, 2025, Inc Ransom — one of the more active ransomware-as-a-service (RaaS) operations of 2025 — published a claim on its dark web leak site, asserting responsibility for the attack.
The categories of data exposed vary by individual but include:
- Full name and date of birth
- Social Security number
- Individual Taxpayer Identification Number (ITIN)
- Driver’s license number
- Government-issued identification and passport information
- Financial account information
- Personal health information (PHI)
The combination of PHI and financial identifiers makes this breach particularly dangerous for affected patients. SSN and health record combinations are among the highest-value data sets on criminal markets because they enable both medical identity fraud and financial fraud simultaneously.
Inc Ransom has been active since at least late 2023 and is notable for targeting healthcare and critical infrastructure organizations. The group uses double-extortion tactics — encrypting victim data and threatening to publish it on their Tor-hosted leak site if the ransom is not paid.
The HIPAA Disclosure Problem
Under the HIPAA Breach Notification Rule, covered entities are required to notify affected individuals within 60 days of discovering a breach. Sandhills Medical Foundation discovered the intrusion on May 8, 2025. The 60-day deadline would have been July 7, 2025.
The organization’s public notification in late April 2026 — roughly 11 months after discovery — places it well outside that statutory window. The Department of Health and Human Services Office for Civil Rights (HHS OCR) enforces HIPAA breach notification requirements and has the authority to levy civil monetary penalties ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category.
This is not Sandhills Medical Foundation’s first encounter with legal scrutiny related to data security. The organization is an FQHC serving underserved communities in South Carolina, which means a significant portion of the 169,017 affected patients are likely low-income individuals with limited resources to respond to identity theft.
Class action litigation has already been filed. Law firms including Migliaccio & Rathod LLP are investigating the breach on behalf of affected patients.
Why This Breach Matters
Healthcare ransomware attacks carry consequences beyond financial loss. When PHI is exfiltrated — as opposed to simply encrypted — the damage to affected individuals does not end when the hospital restores operations. Social Security numbers cannot be changed. Medical records, once exposed, cannot be un-exposed.
The near-year delay in notifying patients is the most operationally significant aspect of this incident. For the 169,017 individuals affected, that means nearly a year during which their PHI was potentially circulating on dark web markets without their knowledge. Patients could not take protective steps — placing credit freezes, monitoring explanation-of-benefits statements for fraudulent claims, or requesting medical record audits — because they did not know they had been affected.
Inc Ransom’s operations reflect a broader pattern in ransomware targeting of healthcare: lower-resourced community health providers and FQHCs are frequently targeted because they tend to have weaker security postures than large hospital systems while still holding valuable PHI.
Sandhills Medical Ransomware Breach: What You Should Do Now
If you are a Sandhills Medical Foundation patient or received a breach notification letter:
- Request your free credit reports from all three bureaus (Equifax, Experian, TransUnion) at AnnualCreditReport.com and review for unauthorized accounts or inquiries.
- Place a credit freeze (not a fraud alert — a full freeze) with each of the three major credit bureaus. This prevents new credit accounts from being opened in your name.
- Review your Explanation of Benefits (EOB) statements from your insurance provider for services you did not receive. Medical identity fraud often surfaces as fraudulent claims.
- Monitor your Social Security earnings record at ssa.gov to detect ITIN/SSN misuse.
- File an identity theft report with the FTC at IdentityTheft.gov if you detect fraudulent activity. This creates a legal record and triggers a recovery plan.
Detection and Verification Checklist
For security teams and compliance officers monitoring for secondary exposure from this breach:
- Check HHS OCR Breach Portal (“Wall of Shame” at ocrportal.hhs.gov) for the official Sandhills Medical filing — it will list affected states and the number of individuals notified.
- Monitor dark web threat intelligence feeds for Sandhills Medical Foundation data being actively traded or weaponized.
- If you operate a downstream partner (labs, billing services, specialists) that shared patient data with Sandhills Medical, assess whether your business associate agreement (BAA) obligates notification to your own patients.
- For SOC teams: Inc Ransom indicators of compromise (IOCs) are available via public threat intel sources including the FBI flash advisory on Inc Ransom published in late 2024.
The SecurityWeek report notes the nearly year-long gap between discovery and disclosure. HHS OCR investigations into HIPAA notification failures typically begin with the breach report itself — meaning regulatory scrutiny is likely already underway.
Sources: SecurityWeek, Malware News, ClaimDepot, RedPacket Security — Inc Ransom listing
For any query contact us at contact@cipherssecurity.com
