Community health center providing primary and preventive care.
Sandhills Medical Foundation, a South Carolina federally qualified health center, suffered a ransomware attack by the INC Ransom group with network access from about May 2-8, 2025 (detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked all stolen data on June 15, 2026 after no ransom was paid. Sandhills notified 169,017 individuals around April 28, 2026. Exposed data included names, dates of birth, and health information, and (per the notice) may also have included Social Security numbers, ITINs, driver's license/government ID numbers, passport numbers, and financial information. (NOTE: prior record count was 63,150; official figure is 169,017.)
ObscureIQ assessment: High risk of identity theft and medical fraud. Healthcare affiliation also creates strong potential for treatment-themed phishing and privacy harms tied to patient status.
The exposure of Social Security numbers, dates of birth, driver's license/government IDs, and health information for over 169,000 patients, later fully leaked by INC Ransom, creates severe identity-theft, medical-fraud, and insurance-abuse risk. As an FQHC serving rural, underserved communities, affected patients may have fewer resources to detect and recover from fraud, and the delayed notification widened the exposure window.
Sandhills Medical Foundation is a nonprofit federally qualified health center (FQHC) providing primary and preventive care across Chesterfield, Kershaw, Lancaster, and Sumter Counties in South Carolina, largely serving rural and underserved populations. It maintains patient identity, insurance, billing, and clinical records.
Regional healthcare organizations collect patient identity, insurance, billing, treatment, and administrative records across community care operations.
A ransomware attack by the INC Ransom group compromised Sandhills’ network in early May 2025 (access ~May 2-8, detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked the stolen data on June 15, 2026 after the ransom went unpaid. Sandhills notified 169,017 individuals around April 28, 2026; class-action investigations followed.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.
If you believe your information may be included:
Sandhills Medical Foundation, a South Carolina federally qualified health center, suffered a ransomware attack by the INC Ransom group with network access from about May 2-8, 2025 (detected May 8 when files were encrypted). INC Ransom listed Sandhills on May 30, 2025 and leaked all stolen data on…
Verified fields include Date of Birth, Driver's License, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation