Sandhills Medical Foundation Says Ransomware Breach Exposed 169,017 Patients
Sandhills Medical Foundation, a South Carolina healthcare provider, notified patients that a ransomware-related breach exposed the data of 169,017 people after an unauthorized party accessed a server and stole files. The organization said it discovered the incident on May 8, 2025 after system disruptions initially linked to a vendor-related technical issue, and a subsequent forensic investigation determined that data had been exfiltrated from systems affecting select patients.
The compromised information reportedly included sensitive personal, financial, and health data, raising risks of identity theft and medical privacy exposure. The ransomware group Inc later claimed responsibility and added Sandhills to its leak site on May 30, 2025, though Sandhills did not publicly confirm the gang's involvement and said it did not pay a ransom; reporting also noted the case as one of the larger healthcare breaches attributed to the group.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Sandhills discloses breach affecting 169,017 people
By late April 2026, Sandhills Medical Foundation publicly disclosed that the May 2025 incident affected 169,017 individuals. The organization said exposed data included sensitive personal, financial, and health information.
Inc ransomware group lists Sandhills on its leak site
On May 30, 2025, the ransomware group Inc claimed responsibility for the Sandhills Medical Foundation breach and posted the organization on its leak site. Sandhills did not publicly confirm Inc's involvement and said it did not pay a ransom.
Sandhills detects system disruptions and discovers unauthorized server access
On May 8, 2025, Sandhills Medical Foundation discovered an incident after system disruptions initially tied to a vendor-related technical issue. A forensic investigation later determined that an unauthorized third party had directly accessed a server and stolen data for certain patients.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026
Change Healthcare Ransomware Breach Grew to 190 Million Victims
UnitedHealth Group said the ransomware attack on Change Healthcare affected about **190 million people**, making it the largest known breach of U.S. health and medical data. The February 2024 intrusion, attributed to the Russian-speaking **ALPHV/BlackCat** operation, triggered nationwide outages that disrupted pharmacy services, insurance claims, prior authorizations, billing, and prescription access, including impacts on military pharmacies. Exposed data reportedly included medical records, diagnoses, medications, test results, treatment plans, insurance details, and financial information. Reporting and subsequent testimony tied the breach to basic security failures, including use of a stolen credential on an account without **multi-factor authentication** and weak network segmentation. The fallout widened when **RansomHub** claimed it had obtained the same stolen dataset—about **4TB** of data—after ALPHV allegedly kept a **$22 million** ransom payment in an apparent exit scam. Hospitals and providers said the prolonged outage strained cash flow and patient care, while UnitedHealth faced HIPAA notifications, lawsuits, congressional scrutiny, and criticism from the American Hospital Association over what it called an inadequate response and funding program.
May 25, 2026