Sandhills Medical Foundation 2025 Data Breach

Sandhills Medical Foundation (SC) Community Health Center Breach (2025): 169K Patient Records Including SSN & Medical Data Exposed via INC Ransom | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

INC RansomRansomware / ExtortionMedicalDate of BirthDriver's LicenseEmail AddressFull NameMedical DiagnosisPhone NumberPhysical Address
High SeverityWebsite / service breach

Sandhills Medical Foundation (SC) Community Health Center Breach (2025): 169K Patient Records Including SSN & Medical Data Exposed via INC Ransom

Community health center providing primary and preventive care.

Verified by ObscureIQ Intelligence
87/100Breach Risk Index
60Data Value
40Market Recency
351dSince Breach

Breach Intelligence Summary

Entity: Sandhills Medical Foundation · Actor: INC Ransom · Sources: 2 references
Attack: Ransomware / Extortion
Profile: Nonprofit · Community healthcare services · Regional health organization · USA
Timeline: Breach (2025-05-02) · Year (2025)
Exposure: 169K records · 8 fields: Date of Birth, Driver's License, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number
Status: Confirmed

Executive Summary

Sandhills Medical Foundation, a South Carolina federally qualified health center, suffered a ransomware attack by the INC Ransom group with network access from about May 2-8, 2025 (detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked all stolen data on June 15, 2026 after no ransom was paid. Sandhills notified 169,017 individuals around April 28, 2026. Exposed data included names, dates of birth, and health information, and (per the notice) may also have included Social Security numbers, ITINs, driver's license/government ID numbers, passport numbers, and financial information. (NOTE: prior record count was 63,150; official figure is 169,017.)

ObscureIQ assessment: High risk of identity theft and medical fraud. Healthcare affiliation also creates strong potential for treatment-themed phishing and privacy harms tied to patient status.

Breach Impact

The exposure of Social Security numbers, dates of birth, driver's license/government IDs, and health information for over 169,000 patients, later fully leaked by INC Ransom, creates severe identity-theft, medical-fraud, and insurance-abuse risk. As an FQHC serving rural, underserved communities, affected patients may have fewer resources to detect and recover from fraud, and the delayed notification widened the exposure window.

About Sandhills Medical Foundation

Sandhills Medical Foundation is a nonprofit federally qualified health center (FQHC) providing primary and preventive care across Chesterfield, Kershaw, Lancaster, and Sumter Counties in South Carolina, largely serving rural and underserved populations. It maintains patient identity, insurance, billing, and clinical records.

Why They Hold Your Data

Regional healthcare organizations collect patient identity, insurance, billing, treatment, and administrative records across community care operations.

Recent Developments

A ransomware attack by the INC Ransom group compromised Sandhills’ network in early May 2025 (access ~May 2-8, detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked the stolen data on June 15, 2026 after the ransom went unpaid. Sandhills notified 169,017 individuals around April 28, 2026; class-action investigations followed.

Data Points Exposed

8 verified field types
Date of Birth High
Driver's License Critical
Email Address
Full Name High
Medical Diagnosis Critical
Phone Number
Physical Address High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity theft and synthetic identity construction using SSN, DOB, and driver's license
  • Medical identity fraud and insurance abuse using health data
  • Targeted phishing and vishing referencing clinic care or billing
  • Doxxing and physical targeting from exposed home addresses
  • Heightened harm to rural/underserved patients with fewer recovery resources
Threat vectors:
  • Full identity theft & synthetic identity fraud
  • Medical extortion, insurance fraud & discrimination
  • Identity fraud with official bodies
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: INC Ransom

INC Ransom
Ransomware / Extortion

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the Sandhills Medical Foundation breach?

Sandhills Medical Foundation, a South Carolina federally qualified health center, suffered a ransomware attack by the INC Ransom group with network access from about May 2-8, 2025 (detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked all stolen data on…

What data was exposed?

Verified fields include Date of Birth, Driver's License, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation