Sandhills Medical Data Breach Affects 169,017 Patients: Sensitive PII and PHI Exposed

Sandhills Medical Foundation Inc., a not-for-profit healthcare provider with multiple locations across South Carolina, has disclosed a data breach affecting approximately 169,017 individuals in the United States.

On May 8, 2025, Sandhills Medical Foundation discovered it was the victim of a ransomware attack. After regaining control of its network, the company launched an investigation with the help of cybersecurity experts to better understand the incident.

The forensic investigation determined that an unauthorized third party accessed the company's server directly and obtained personal information of patients.

On June 3, 2025, INC Ransom, a ransomware group, posted a claim on the dark web using the Tor network. The group claimed to have obtained data from the organization.

The types of information exposed varied by individual but may have included date of birth, Social Security number, individual taxpayer ID number, driver's license number, government-issued identification, passport information, financial information and personal health information.

The breach was disclosed to the Maine Attorney General and the Vermont Attorney General starting on April 28, 2026.

Sandhills Medical mailed notification letters to affected consumers on April 28, 2026. The company also posted a notice on its website about the incident.

Sandhills Medical Foundation's response to the breach

Sandhills Medical is providing all affected individuals with 12 months of free credit monitoring services. The company is also offering proactive fraud assistance through Cyberscout, a TransUnion company that specializes in fraud assistance and remediation services.

To enroll in these free services, affected individuals can visit the Cyberscout activation page and enter the unique code provided in their notification letter. Enrollment must be completed within 90 days of the date of the letter.

Representatives are available to answer questions about the incident by calling 1-833-877-9639, Monday through Friday, from 8 a.m. to 8 p.m. Eastern time, excluding holidays. This help line is available for 90 days from the date of the notification letter.

Steps to take if your information was exposed

• Place a fraud alert or security freeze on credit files by contacting one of the three major credit bureaus: Experian (1-888-397-3742), Equifax (1-800-525-6285) or TransUnion (1-800-680-7289), since Social Security numbers and financial information were among the data exposed.
• Request free credit reports at AnnualCreditReport.com and review them carefully for any unfamiliar accounts or suspicious activity.
• Monitor financial account statements closely for unauthorized transactions, since financial information may have been accessed in this breach.
• Review health insurance Explanation of Benefits statements for medical services not received, as personal health information was among the types of data exposed.
• Watch for phishing attempts that reference Sandhills Medical Foundation or this data breach by name, as scammers often use real breach notifications to trick people into sharing more personal information.
• Report any signs of identity theft to the Federal Trade Commission at ftc.gov/idtheft or by calling 1-877-438-4338, or file a police report with local law enforcement if identity fraud occurs.