Inc Ransom Ransomware Breach at Sandhills Medical Exposes 169,017 Patients — Notified 12 Months Later

Inc Ransom breached Sandhills Medical Foundation in May 2025, published patient data publicly in June 2025, and affected patients weren't notified until April 2026 — nearly a year later.

CHESTERFIELD COUNTY, SOUTH CAROLINA — Sandhills Medical Foundation discovered a ransomware attack on May 8, 2025. The organization serves patients across Chesterfield, Kershaw, Lancaster, and Sumter Counties — rural communities with limited access to alternative healthcare providers. The compromised data includes full names, dates of birth, Social Security numbers, Taxpayer Identification Numbers, driver's licenses, government-issued identification, passports, financial information, and personal health information. Inc Ransom listed Sandhills Medical on its leak site in early June 2025 and has since made the allegedly stolen files available for download.

Breach profile

The data: a full identity theft toolkit

The compromised dataset represents a comprehensive identity theft resource. SSNs and TINs enable fraudulent tax filings. Passport data enables international identity fraud. Financial information creates direct account takeover exposure. Personal health information enables insurance fraud. Inc Ransom has published the files publicly, meaning the data is freely accessible to any actor who seeks it. For a broader understanding of how these incidents unfold, see our full explainer on data breaches: risks, response, and prevention.

The 12-month notification delay

The gap between attack detection (May 8, 2025) and patient notification (April 28, 2026) — nearly 12 months — is the critical secondary issue. HIPAA's Breach Notification Rule requires notification "without unreasonable delay and in no case later than 60 days" after discovery. With Inc Ransom publishing stolen data publicly in June 2025, affected patients had nearly ten months of unmitigated exposure before receiving official notification. The Sandhills case echoes the delayed disclosure pattern seen in the Kettering Health ransomware breach.

For comprehensive healthcare cybersecurity coverage, The CyberSignal tracks all major incidents in the sector.

What to do now

If you are or were a patient of Sandhills Medical Foundation, place a fraud alert or credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion) immediately. Monitor all financial accounts for unusual activity going back to June 2025. Be vigilant for phishing attempts referencing Sandhills Medical by name. Enroll in the free credit monitoring offered by Sandhills Medical and report any identity theft to the FTC at identitytheft.gov.

The CyberSignal Analysis

Signal 01 — Rural FQHCs are high-value, low-defense targets

Federally Qualified Health Centers serving rural communities combine sensitive, monetizable data with limited IT security resources. Sandhills Medical serves patients across four South Carolina counties — a patient population that is disproportionately uninsured or underinsured and therefore less likely to have rapid access to fraud remediation services when their data is compromised.

Signal 02 — A 12-month notification timeline has regulatory consequences

HIPAA's 60-day notification requirement appears to have been significantly exceeded. With Inc Ransom publishing stolen data publicly in June 2025, affected patients had nearly ten months of unmitigated exposure before receiving official notification. Watch for HHS OCR enforcement action.

Signal 03 — Published data does not expire

The 169,017 affected individuals face fraud risk not just in 2026 but for years to come. SSNs cannot be changed. For rural healthcare providers, this incident illustrates why ransomware is not a recoverable operational disruption — it is a permanent data loss event with ongoing downstream consequences.