Sandhills Medical Ransomware Attack Exposes Data of 170,000 Patients

Context South Carolina’s Sandhills Medical Foundation, a regional health provider, disclosed a breach that exposed names, dates of birth, Social Security numbers, tax IDs, driver’s licenses, passports, financial details, and health information. The organization only announced the incident publicly nearly a year after detection, after completing forensic analysis and notifying law‑enforcement.

Key Facts - The ransomware attack was first identified on May 8 2025 when abnormal network activity triggered the internal security team’s alert. - Forensic investigators linked the intrusion to the Inc Ransom criminal group, which posted the stolen files on its public leak site in early June 2025. - The leak includes data for roughly 170,000 individuals, a figure confirmed in communications with the Maine Attorney General’s Office. - No evidence suggests that the attackers altered clinical systems, but the exfiltrated data spans personal identifiers and protected health information, raising compliance concerns under HIPAA (Health Insurance Portability and Accountability Act). - The breach prompted collaboration with federal law‑enforcement, a third‑party cybersecurity firm, and a digital forensics company to contain the incident and assess the full scope.

What It Means The exposure underscores the persistent targeting of healthcare providers, whose records command high resale value on underground markets. Attackers likely entered through a known vulnerability in remote desktop services, a common entry point cataloged as CVE‑2022‑26923, and employed the MITRE ATT&CK technique T1078 (Valid Accounts) to move laterally across the network. The rapid public posting of data suggests the group prioritized extortion over prolonged encryption, a shift observed in recent ransomware campaigns.

Mitigations - Patch all remote access services immediately; apply the latest Microsoft updates addressing CVE‑2022‑26923. - Enforce multi‑factor authentication for all privileged accounts to block technique T1078. - Deploy network segmentation to isolate electronic health record (EHR) systems from general‑purpose workstations. - Enable continuous monitoring for abnormal file‑transfer patterns using a Security Information and Event Management (SIEM) platform. - Conduct regular phishing simulations and employee training, as credential theft remains a primary vector. - Review and update incident response playbooks to include ransomware‑specific containment steps, such as isolating affected endpoints and preserving volatile memory for forensic analysis.

Looking Ahead Security teams should watch for follow‑up leaks from Inc Ransom and monitor emerging ransomware‑as‑a‑service offerings that could accelerate attacks on other healthcare entities.