Active breach tracker Jefferson, South Carolina Disclosed September 14, 2025

Sandhills Medical Foundation Data Breach 2025 (INC Ransom Ransomware): 169,017 Affected at South Carolina FQHC. Data Leaked June 2026. What To Do

Sandhills Medical Foundation, a federally qualified health center serving rural counties in South Carolina, suffered an INC Ransom ransomware intrusion from May 2-8, 2025 in which Social Security numbers, driver's license numbers, passport numbers, financial information, and protected health information for 169,017 individuals were exfiltrated. Individual notifications were not mailed until April 28, 2026, and INC Ransom released the stolen data publicly on June 15, 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 2, 2025

INC Ransom unauthorized access to Sandhills Medical Foundation network begins (per forensic review)

May 8, 2025

Ransomware detected when files are encrypted; forensics and law enforcement engaged

May 30, 2025

INC Ransom lists Sandhills Medical Foundation on its dark-web leak site

Sep 14, 2025

HHS Office for Civil Rights breach filing submitted (169,017 affected; Hacking/IT Incident at Network Server)

Apr 28, 2026

Individual notification letters mailed; state attorneys general (including Maine, Massachusetts, and South Carolina) notified

May 1, 2026

Schubert Jonckheer & Kolbe LLP announces class-action investigation

May 3, 2026

Edelson Lechtzin LLP announces class-action investigation

Jun 2, 2026

Updated notification mailing sent to additional affected individuals

Jun 15, 2026

INC Ransom publicly releases the full stolen dataset, confirming ransom was not paid

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license and government-issued identification numbers Passport number

03

Contact & insurance

Phishing + targeted scams

Full name Individual Taxpayer Identification Number (ITIN) Financial information Protected health information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Schubert Jonckheer & Kolbe LLP (investigating, announced May 1, 2026) Migliaccio & Rathod LLP (investigating, announced April 29, 2026) Edelson Lechtzin LLP (investigating, announced May 3, 2026) Almeida Law Group (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Sandhills Medical Foundation, a federally qualified health center (FQHC) that delivers primary care, behavioral health, and immunization services across Chesterfield, Kershaw, Lancaster, and Sumter counties in rural South Carolina, was compromised by the INC Ransom ransomware group between May 2 and May 8, 2025. Forensic investigators concluded that names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s license and government-ID numbers, passport numbers, financial information, and protected health information for 169,017 individuals were exfiltrated. INC Ransom posted the data on its dark-web leak site on or around May 30, 2025, but individual notification letters were not mailed until April 28, 2026, nearly a year after the intrusion was detected. A second notification mailing followed on June 2, 2026. On June 15, 2026, INC Ransom publicly released the full stolen dataset, confirming no ransom was paid and that the data is now freely available online.

What happened

Sandhills Medical Foundation is headquartered in Jefferson, South Carolina, and operates as a federally qualified health center under the Health Resources and Services Administration program. FQHCs serve medically underserved communities regardless of patients’ ability to pay, which means Sandhills’ patient population includes rural, lower-income, uninsured, and Medicaid-enrolled individuals, as well as patients accessing integrated behavioral-health services.

On May 8, 2025, Sandhills detected that its network had been encrypted by ransomware. An independent forensic investigation determined that INC Ransom had maintained unauthorized access from May 2 to May 8, 2025, during which time files were exfiltrated from the network server. INC Ransom is a double-extortion ransomware group that has operated since at least mid-2023, targeting healthcare, education, and government entities through spear-phishing and exploitation of known software vulnerabilities. The group added Sandhills to its dark-web leak site around May 30, 2025. Because Sandhills did not pay a ransom, INC Ransom released the full dataset publicly on June 15, 2026, making all exfiltrated data freely accessible.

Sandhills filed its HIPAA breach notification with the HHS Office for Civil Rights on September 14, 2025, reporting 169,017 affected individuals. The first wave of individual notification letters was mailed on April 28, 2026, approximately 355 days after discovery. State attorneys general in Maine, Massachusetts, and South Carolina were notified concurrently. A supplemental mailing went out on June 2, 2026 for additional identified individuals. The South Carolina Department of Consumer Affairs confirmed the breach affected more than 78,000 state residents. The notification letter was sent through Cyberscout, the credit-monitoring vendor Sandhills engaged to administer the response.

What was exposed

According to the entity’s own notice page, the Maine AG filing, the Massachusetts AG filing, and the South Carolina AG filing, the data elements potentially exposed vary by individual and include:

  • Full name and date of birth
  • Social Security number
  • Individual Taxpayer Identification Number (ITIN)
  • Driver’s license number and other government-issued identification numbers
  • Passport number
  • Financial information
  • Protected health information

Because INC Ransom publicly released the stolen files on June 15, 2026, the exfiltrated data is now presumed available to any party rather than merely staged on a gated leak site. This materially increases the practical harm risk compared to a breach where data was accessed but not published.

Sensitive-population considerations

Sandhills Medical Foundation operates as a federally qualified health center, the federal designation for safety-net providers that deliver primary care to medically underserved populations regardless of ability to pay. Its patient panel skews rural, lower-income, and uninsured or Medicaid-enrolled, and includes patients receiving behavioral health services. Several characteristics of this population raise the harm profile of the breach above a typical hospital-system disclosure:

  • ITIN exposure. The notification explicitly lists Individual Taxpayer Identification Numbers, which are issued to taxpayers who are not eligible for Social Security numbers. ITIN exposure carries identity-fraud risk plus, for some patients, secondary risks tied to immigration status.
  • Passport-number exposure. Passport numbers are an unusual element for an FQHC patient record and suggest some patient files included immigration- or travel-related documentation.
  • Behavioral-health PHI. FQHCs frequently integrate primary care with behavioral health, meaning the protected health information at issue may include mental-health and substance-use treatment records, categories with heightened sensitivity under federal law.
  • Lower baseline access to monitoring. Lower-income and rural patients are less likely to already carry paid credit-monitoring or to have the time and broadband access to act quickly on a notification letter mailed nearly a year after the intrusion.
  • Data now fully public. The June 15, 2026 public release means affected individuals face ongoing and growing fraud risk as the dataset circulates further. Acting on protective steps now is more urgent than it would be under a typical contained breach.

Class-action posture

A federal lawsuit, Twitty v. Sandhills Medical Foundation, Inc. (No. 4:2025cv10394, U.S. District Court for the District of South Carolina), has been filed. A related state-court action, Sondra Bristow Twitt v. Sandhills Medical Foundation, Inc. (Chesterfield County docket 2025CP1300499), also appears in court records. In January 2026 the federal court issued a memorandum opinion and order granting plaintiff’s motion to remand.

Multiple additional plaintiffs’ firms have publicly announced investigations: Schubert Jonckheer & Kolbe LLP (May 1, 2026), Migliaccio & Rathod LLP (April 29, 2026), Edelson Lechtzin LLP (May 3, 2026), and Almeida Law Group. All four investigations emphasize the approximately 11-month delay between detection on May 8, 2025 and individual notification on April 28, 2026, which exceeds HIPAA’s 60-day breach-notification window by roughly nine months, as well as state-law notification requirements in South Carolina and other affected states.

What to do

If you received a notification letter from Sandhills Medical Foundation or believe you were a patient at one of its locations during or before May 2025:

  1. Enroll in the complimentary credit monitoring. Sandhills is offering 12 months of credit monitoring and fraud assistance through Cyberscout. Activate at bfs.cyberscout.com/activate using the code in your notification letter. The enrollment deadline is 90 days from the date on your letter. For help, call Sandhills’ breach hotline at 1-833-877-9639, available 8 a.m. to 8 p.m. Eastern on weekdays.
  2. Freeze your credit at Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft. Because INC Ransom released the stolen data publicly on June 15, 2026, the monitoring window alone is insufficient: a freeze stops new credit lines from being opened in your name.
  3. If your ITIN was on file, contact the IRS Identity Protection Specialized Unit (1-800-908-4490) and request an Identity Protection PIN (IP PIN). ITIN holders are a documented target for tax-refund fraud.
  4. If your passport number was exposed, consider requesting a replacement from the U.S. Department of State. Passport numbers are not automatically re-issued after a breach; the decision depends on your travel risk and whether you regularly use your passport for identity verification.
  5. Watch for medical-identity misuse. Review Explanation of Benefits statements from Medicaid or any private insurer for services you did not receive. Request a copy of your medical record summary from Sandhills if you suspect unauthorized treatment entries.
  6. Be alert for targeted phishing referencing Sandhills Medical Foundation, “INC Ransom,” or the breach response. Verify any outreach through the official hotline rather than links in unsolicited emails or texts.
  7. Keep your notification letter. It documents the specific data elements exposed for you and is the best record if you later need to dispute fraudulent activity or join a class action.

Stop the ongoing flow of your primary-care and behavioral-health data. HealthConsent files HIPAA restriction requests so the clinical and financial information exposed in this breach is not continuously re-shared across health information networks, insurance clearinghouses, and data brokers.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.