Sandhills Medical Faces Legal Scrutiny After Delayed Notification of 169k-Patient Ransomware Breach

TL;DR: Sandhills Medical suffered a ransomware attack on May 8 2025 that exposed data of 169,017 patients. The provider did not send breach notices until April 28 2026, raising possible violations of HIPAA and state notification laws.

Sandhills Medical Foundation, a federally qualified health center in South Carolina, detected the intrusion after the Inc Ransom group posted its name on a leak site in early June 2025. The attack encrypted systems and stole personal health and financial data before the ransom note appeared.

Approximately 169,017 individuals had dates of birth, Social Security numbers, ITINs, driver's license numbers, passport numbers, financial details, and medical records potentially accessed. The ransomware used double extortion, encrypting files while threatening to publish the stolen data. Notification to affected individuals was delayed nearly a year, which may breach the 60-day requirement under HIPAA's Breach Notification Rule and similar state statutes.

The delay could trigger regulatory fines from HHS's Office for Civil Rights and state attorneys general, as well as increase the likelihood of class-action suits alleging negligence. For healthcare organizations, the case underscores the legal risk of postponing breach disclosures even when ransomware groups claim data destruction.

Mitigations: Defenders should patch internet-facing services against known exploits (e.g., CVE-2021-26855, CVE-2021-27065) and enforce multifactor authentication on remote access. Network segmentation limits lateral movement, while monitoring for unusual SMB or RDP traffic (MITRE ATT&CK T1021) helps detect ransomware early. Maintaining offline, encrypted backups and testing incident-response plans quarterly reduces reliance on ransom payments.

Watch for any official HHS OCR penalty announcements and the outcome of pending litigation, which may set precedents for breach-notification timelines in the health sector.