INC Ransom Group Behind Sandhills Medical Foundation Breach Exposing 169,017 Patients

TL;DR: On May 8 2025, Sandhills Medical Foundation detected a ransomware intrusion attributed to the INC Ransom group. The breach exposed personal information—including Social Security numbers and health records—for 169,017 individuals nationwide.

Context: Sandhills Medical Foundation is a Federally Qualified Health Center operating clinics in Chesterfield, Kershaw, Lancaster and Sumter counties in South Carolina. It provides primary care, behavioral health, laboratory, infectious disease treatment and pharmacy services to a largely rural patient base.

Key Facts: The organization identified the ransomware incident on May 8, 2025 after noticing unauthorized activity on its network. Investigators traced the intrusion to the INC Ransom group via a dark‑web post claiming responsibility. The attackers accessed a server directly and exfiltrated data for 169,017 patients, with 78,496 located in South Carolina and eight in Maine. Exposed information varied by individual but included dates of birth, Social Security numbers, Individual Taxpayer Identification Numbers, driver’s licenses, passports, financial details and personal health information.

What It Means: The breach places affected individuals at heightened risk of identity theft, financial fraud and medical identity misuse. Because the data includes government identifiers and health records, downstream harms could extend to fraudulent insurance claims or unauthorized prescription fills. Legal firms have begun investigating potential class‑action claims, suggesting possible financial liability for the foundation.

Mitigations / What Defenders Should Do: - Apply the latest security patches for remote access services (e.g., VPN, RDP) and monitor for CVE‑2023‑XXXX‑style vulnerabilities commonly exploited by ransomware groups. - Enforce multi‑factor authentication on all privileged accounts and review access logs for anomalous login patterns (MITRE ATT&CK T1078 – Valid Accounts). - Implement network segmentation to limit lateral movement from compromised servers to sensitive data stores. - Deploy detection signatures for known INC Ransom TTPs, such as use of legitimate admin tools for data collection (T1059 – Command‑and‑Control Scripting) and encryption routines (T1486 – Data Encrypted for Impact). - Maintain offline, encrypted backups and test restoration procedures regularly to reduce reliance on ransom payment.

Watch for any follow‑on extortion attempts or dark‑web leaks related to this breach as the INC Ransom group may seek additional pressure on the organization.