South Carolina-based healthcare provider Sandhills Medical Foundation has disclosed a ransomware breach impacting nearly 170,000 individuals, according to a data security incident notice published on the organization's website and a filing with the Maine Attorney General's Office. The intrusion, attributed to the Inc Ransom ransomware group, was originally discovered on May 8, 2025, with public notification arriving nearly a year later.

What Happened

Sandhills Medical Foundation detected a ransomware attack on May 8, 2025, and immediately engaged law enforcement, cybersecurity experts, and a third-party forensics firm to investigate the scope of the intrusion. The Inc Ransom group claimed responsibility shortly after, listing the healthcare provider on its dark web leak site in early June 2025. After Sandhills declined or failed to meet ransom demands, Inc Ransom published the allegedly stolen data, making the files available for download. Public notification to affected individuals and regulators came almost a year after initial discovery, a timeline consistent with extended forensic review and notification list reconstruction common in large healthcare incidents.

What Was Taken

The breach exposed an exceptionally sensitive data set tied to roughly 170,000 patients. Compromised information includes:

• Full names and dates of birth
• Social Security Numbers
• Taxpayer Identification Numbers
• Driver's license numbers
• Government-issued identification
• Passport details
• Financial account information
• Personal health information (PHI)

The combination of SSNs, TINs, passports, and financial records represents a near-complete identity theft kit per affected individual, with PHI adding HIPAA exposure and elevated medical fraud risk.

Why It Matters

Healthcare remains one of the most heavily targeted sectors for ransomware operators because of the high data sensitivity, regulatory pressure to restore operations quickly, and weaker security maturity at smaller providers. Sandhills Medical Foundation, a federally qualified health center serving rural South Carolina, fits the profile of a regional provider with limited security staffing but rich data holdings. Inc Ransom's willingness to publish the full data set after failed extortion confirms the group's continued aggressive double-extortion posture, and the year-long gap between detection and disclosure highlights the operational and legal drag healthcare organizations face when victims of ransomware.

The Attack Technique

Sandhills Medical has not publicly disclosed the initial access vector, dwell time, or specific tooling used in the intrusion. Inc Ransom, active since mid-2023, is known to gain initial access through phishing, exploitation of public-facing applications (notably Citrix and VPN appliance vulnerabilities), and abuse of valid credentials. The group typically performs lateral movement using legitimate administrative tools, exfiltrates data via cloud storage providers, and deploys its custom encryptor as the final stage. The publication of files on Inc Ransom's leak site indicates exfiltration occurred prior to encryption, consistent with the group's established double-extortion playbook.

What Organizations Should Do

Healthcare organizations and similarly exposed sectors should take the following steps to reduce exposure to Inc Ransom and comparable threat actors:

1. Patch and harden perimeter appliances. Prioritize VPN gateways, Citrix, and remote access infrastructure, which Inc Ransom regularly exploits for initial access.
2. Enforce phishing-resistant MFA on all remote access, privileged accounts, and email, and disable legacy authentication protocols.
3. Segment clinical and administrative networks to limit lateral movement and contain ransomware blast radius from a single compromised endpoint.
4. Deploy and tune EDR with 24/7 monitoring, focusing on detections for credential dumping, suspicious RMM tool usage, and large outbound transfers to cloud storage providers.
5. Maintain immutable, offline backups and rehearse restoration of critical patient systems under realistic time pressure.
6. Review breach notification readiness, including legal counsel, forensic retainers, and templated communications, so disclosure does not stretch toward the one-year mark.

Sources: Sandhills Medical Says Ransomware Breach Affects 170,000 - SecurityWeek