Sandhills Medical Foundation, a South Carolina-based federally qualified health center, has confirmed a ransomware attack that compromised the personal and medical information of 169,017 patients. The breach was disclosed via the Office of the Maine Attorney General, with notification letters sent to affected individuals on April 28th.
What Happened
According to the disclosure, an unauthorized third party directly accessed Sandhills' server on May 2nd, 2025. The intrusion went undetected for nearly a week before Sandhills discovered the breach on May 8th, 2025. The healthcare provider states that it regained control of its network and engaged cybersecurity experts, law enforcement, and an independent forensic firm to investigate the scope of the compromise. A subsequent data mining process was conducted to identify which individuals had been impacted.
In its notice, Sandhills described the event as a ransomware attack, a class of intrusion in which threat actors deploy encryption malware to lock victims out of their data and extort payment. While the ransomware family and threat actor have not been publicly attributed, the dwell time and direct server access suggest a targeted operation rather than an opportunistic compromise.
What Was Taken
The breach exposed sensitive records belonging to 169,017 individuals. According to Sandhills' notice, the compromised information varied by individual and may have included:
- Personal health information (PHI)
- Dates of birth
- Other personal identifiers tied to patient records
Given Sandhills' role as a federally qualified health center, the affected population likely includes underserved and low-income patients who rely on the foundation for primary care, making the downstream identity theft and medical fraud risk particularly acute.
Why It Matters
Healthcare remains one of the most targeted verticals in the ransomware ecosystem. Federally qualified health centers (FQHCs) like Sandhills typically operate on thin margins with limited security budgets, while holding rich datasets that combine PHI, demographic data, and insurance identifiers. That combination commands premium prices on dark web markets and fuels long-tail fraud schemes including medical identity theft, prescription fraud, and benefits abuse.
The seven-day detection gap between intrusion and discovery is consistent with industry averages but underscores ongoing visibility gaps in mid-market healthcare environments. For defenders, this incident reinforces the pattern of ransomware operators prioritizing data exfiltration alongside encryption, ensuring leverage even when victims restore from backups.
The Attack Technique
Sandhills' notice indicates that an unauthorized third party "accessed our server directly," suggesting an externally exposed system or compromised credentials rather than a phishing-led endpoint compromise. The specific initial access vector, ransomware strain, and exfiltration method have not been disclosed. Direct server access of this kind is commonly associated with:
- Exploitation of unpatched internet-facing services (VPN, RDP, file transfer appliances)
- Valid credentials obtained from infostealers or initial access brokers
- Exposed management interfaces lacking multi-factor authentication
The data mining phase referenced by Sandhills indicates the threat actor staged or exfiltrated bulk data prior to the encryption event, consistent with double-extortion tradecraft used by most modern ransomware affiliates.
What Organizations Should Do
- Audit external attack surface: Identify and harden any internet-exposed servers, RDP endpoints, VPN appliances, and management interfaces. Patch known CVEs in edge devices on an accelerated cadence.
- Enforce MFA on all remote access: Require phishing-resistant MFA for VPNs, remote desktop, email, and any administrative portal.
- Deploy EDR with behavioral detection: Ensure endpoint detection coverage extends to servers and that ransomware behavioral signatures, mass file modification, shadow copy deletion, and credential theft tooling are monitored.
- Segment PHI repositories: Isolate clinical and patient data systems from general-purpose IT infrastructure to limit lateral movement and reduce blast radius during a compromise.
- Validate backup integrity and isolation: Maintain offline, immutable backups and routinely test restoration. Assume the threat actor will attempt to destroy or encrypt backups during the intrusion.
- Monitor for data staging and exfiltration: Implement DLP and network egress monitoring for unusual outbound transfers, especially to cloud storage providers commonly abused by ransomware affiliates.