Inc Ransom claims Sandhills Medical data as 170k patient notifications arrive

A South Carolina healthcare provider has begun notifying 170,000 individuals of a ransomware breach discovered in May 2025, with the Inc Ransom group having published stolen data months before patients were formally told.

What happened

Sandhills Medical Foundation, a healthcare provider based in South Carolina, has disclosed a data breach affecting 169,761 individuals following a ransomware attack first detected on May 8, 2025. According to SecurityWeek, the organization filed a notification with the Maine Attorney General's Office confirming the total affected, while its own public notice described the scope more narrowly as affecting "select patients." The Inc Ransom ransomware group listed Sandhills Medical on its dark web leak site in early June 2025 and has since made the allegedly stolen files available for download. Compromised data includes names, dates of birth, Social Security numbers, Taxpayer Identification Numbers, driver's licenses, government-issued identification, passports, financial information, and personal health information.

Going deeper

The timeline is notable as Sandhills Medical detected the attack in May 2025, Inc Ransom published the data in June 2025, and formal patient notifications did not go out until April 2026, nearly a year after the breach was discovered. HIPAA's Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach. A gap of this length between discovery and notification is likely to attract regulatory scrutiny from the HHS Office for Civil Rights. The breach notice on Sandhills Medical's own website states the organization has been working with law enforcement, cybersecurity experts, and a forensics firm throughout the investigation, which is the standard justification offered when notification timelines extend beyond the 60-day window.

What was said

In its data security incident notice, Sandhills Medical stated it discovered the ransomware attack on May 8, 2025, and has since been working with law enforcement and cybersecurity experts to investigate the intrusion and determine its full impact. The organization said it has no evidence of fraud or identity theft resulting from the incident.

In the know

Inc Ransom is one of the five most reported ransomware variants in the FBI's 2025 Internet Crime Report, which named healthcare the most targeted critical infrastructure sector for the year. The group uses double extortion, stealing data before encrypting systems and publishing stolen files when ransoms go unpaid. Sandhills Medical is not its only healthcare victim; Inc. Ransom has also claimed attacks on McLaren Health Care, which affected 2.2 million patients, and Surgical Associates of Mobile in Alabama. The group's consistent targeting of smaller and mid-sized healthcare providers indicates a deliberate strategy of pursuing organizations with limited security resources and high operational pressure to restore systems quickly.

The big picture

The gap between Inc Ransom publishing stolen Sandhills Medical data in June 2025 and patients receiving notification letters in April 2026 represents ten months during which affected individuals had no formal warning despite their data being publicly available for download on a criminal leak site. For the 170,000 people affected, that window is consequential. Social Security numbers, passport details, and financial information were accessible to anyone who visited the leak site long before any protective action was prompted by official notification. The Sandhills case is part of a consistent pattern in 2025 and 2026 where ransomware group leak site disclosures precede official patient notifications by months, creating a gap that regulators have flagged as a compliance failure, regardless of how complex the underlying investigation may be.

FAQs

What is the HIPAA notification deadline, and when does the clock start?

HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach. The clock starts at discovery, not at the conclusion of a forensic investigation. Organizations can investigate and notify simultaneously, and the 60-day window does not pause while the investigation continues.

Why does the Maine AG filing often reveal a higher number than the organization's own notice?

State breach notification laws require organizations to report to the Attorney General when residents are affected, and those filings include a specific headcount. Organizations sometimes use broader or softer language in their own public notices, making the AG filing the more precise public record of the actual scope.

What makes Inc Ransom a persistent threat to healthcare?

Inc Ransom targets sectors where operational downtime creates maximum pressure to pay, and healthcare fits that profile precisely. The group has claimed attacks on multiple major health systems and continues recruiting affiliates, making it one of the more active and consistent threats to the sector documented in 2025 and into 2026.

What does it mean for patients that their data was published on a leak site months before notification?

Data published on a ransomware leak site is accessible to other criminal actors who can download and use it for identity theft, fraud, or targeted social engineering. A ten-month gap means affected individuals had no prompt to take protective action while that window of exposure was open.

What should healthcare organizations do to avoid this notification timeline gap?

Opening a parallel HIPAA breach assessment alongside the forensic investigation from the moment of discovery, rather than waiting for the investigation to conclude before beginning notification planning, compresses the timeline. Retaining HIPAA counsel at the outset ensures notification obligations are tracked in real time rather than assessed after the fact.