Sandhills Medical Foundation Data Breach Exposes SSNs and Health Info of 169,017 Individuals

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 169,000 Patients

HIGH
June 4, 2026
4m read
Data BreachRansomwareCloud Security

Impact Scope

People Affected

169,017

Industries Affected

Healthcare

Geographic Impact

United States (national)

Related Entities

Other

Sandhills Medical Foundation, Inc.

MITRE ATT&CK Techniques

T1486Impact

Data Encrypted for Impact

T1048Exfiltration

Exfiltration Over Alternative Protocol

T1213Collection

Data from Information Repositories

Full Report

Executive Summary

Sandhills Medical Foundation, Inc., a healthcare provider, has disclosed a significant data breach resulting from a ransomware attack. The incident, which occurred in May 2025, affected 169,017 patients and involved the compromise of highly sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI). Exposed data includes Social Security numbers, driver's licenses, and personal health details. While the foundation states there is no evidence of data misuse, the nature of the compromised information places affected individuals at a high risk of identity theft and other forms of fraud.

Threat Overview

The breach occurred on May 2, 2025, when an unauthorized third party gained access to one of Sandhills Medical Foundation's servers. The incident was discovered six days later, on May 8, 2025. A subsequent investigation, conducted with external cybersecurity experts, confirmed that the attackers had access to files containing a vast amount of sensitive patient data.

The scope of the exposed information is extensive and varies by individual, but potentially includes:

  • Social Security numbers
  • Driver's license or state ID numbers
  • Passport information
  • Dates of birth
  • Personal health information

This type of data is a valuable commodity on the dark web and can be used by criminals for a wide range of malicious activities. The foundation began notifying affected individuals nearly a year later, starting on April 28, 2026.

Technical Analysis

While the report does not specify the ransomware variant or the initial access vector, a typical attack of this nature involves several stages. The threat actors likely gained initial access, moved laterally to identify valuable data, and then exfiltrated and encrypted it.

This attack pattern aligns with common ransomware TTPs, which can be mapped to MITRE ATT&CK:

Impact Assessment

The breach has severe implications for the 169,017 affected individuals:

  • High Risk of Identity Theft: The combination of SSNs, driver's licenses, and dates of birth is a complete package for identity thieves to open fraudulent accounts, file fake tax returns, or commit other forms of fraud.
  • Targeted Phishing: Attackers can use the stolen health information to craft highly convincing and targeted phishing scams.
  • Long-Term Risk: Unlike a credit card number, a Social Security number cannot be easily changed, meaning affected individuals face a lifetime of increased risk.
  • Regulatory and Legal Consequences: For Sandhills, the breach will likely result in significant regulatory fines under HIPAA, as well as class-action lawsuits from affected patients.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams in similar organizations may want to hunt for precursors to ransomware attacks:

Type
Process Name
Value
powershell.exe with encoded commands
Description
Often used for lateral movement and reconnaissance.
Type
Network Traffic Pattern
Value
Large, unexpected data uploads to cloud storage services (e.g., Mega, Dropbox)
Description
A common sign of data exfiltration before encryption.
Type
Event ID
Value
4625 (An account failed to log on)
Description
A high volume of failed logins on a server could indicate a brute-force attempt.

Detection & Response

  1. Endpoint Detection and Response (EDR): Deploy EDR solutions on all servers and endpoints to detect and block common ransomware behaviors, such as rapid file encryption and shadow copy deletion.
  2. Network Monitoring: Monitor for large, anomalous outbound data transfers, which could be a sign of data exfiltration. This aligns with D3FEND's User Data Transfer Analysis (D3-UDTA).
  3. Log Analysis: Ingest server, firewall, and authentication logs into a SIEM to detect patterns of suspicious activity, such as lateral movement or privilege escalation.

Mitigation

Healthcare organizations must implement robust security controls to defend against ransomware.

  1. Data Backup and Recovery: Maintain regular, offline, and immutable backups of all critical data. Test the restoration process frequently. This is the most critical mitigation for recovering from a ransomware attack (D3-FR: File Restoration).
  2. Network Segmentation: Segment the network to prevent attackers from moving laterally from a compromised workstation to a critical server containing patient data.
  3. Access Control: Enforce the principle of least privilege. Users and systems should only have access to the data and resources absolutely necessary for their function.
  4. Patch Management: Implement a rigorous patch management program to ensure all systems, especially internet-facing ones, are patched against known vulnerabilities.

Timeline of Events

1
May 2, 2025
An unauthorized third party gains access to a Sandhills Medical Foundation server.
2
May 8, 2025
Sandhills discovers the security breach.
3
April 28, 2026
Sandhills begins sending initial notification letters to affected individuals.
4
June 2, 2026
An updated mailing of notification letters is sent.
5
June 4, 2026
This article was published

MITRE ATT&CK Mitigations

Data Backup

M0951enterprise

Maintaining regular, offline, and tested backups is the most critical defense for recovering from a ransomware attack without paying a ransom.

Network Segmentation

M1030enterprise

Properly segmenting the network can contain a ransomware outbreak and prevent it from spreading to critical servers holding patient data.

Encrypt Sensitive Information

M1041enterprise

Encrypting sensitive data at rest can make it useless to attackers even if they manage to exfiltrate it.

Privileged Account Management

M1026enterprise

Restricting administrative privileges and implementing least privilege access limits an attacker's ability to move laterally and access sensitive data.

D3FEND Defensive Countermeasures

File Restoration

D3-FRMaps to MITREM0951
D3FEND

For a healthcare organization like Sandhills, the most critical post-compromise capability is robust backup and restoration. Implement the 3-2-1 backup rule: three copies of data, on two different media types, with one copy off-site and immutable (air-gapped or cloud-based object lock). Regularly test the restoration process to ensure data integrity and to meet Recovery Time Objectives (RTOs). This ensures that if a ransomware attack occurs, the organization can restore operations from a clean backup without needing to pay the ransom, minimizing downtime and data loss.

File Encryption

D3-FEMaps to MITREM1041
D3FEND

To mitigate the impact of data exfiltration in a double-extortion ransomware attack, all Protected Health Information (PHI) and Personally Identifiable Information (PII) should be encrypted at rest. This applies to data stored in databases, on file servers, and on endpoints. By encrypting the data itself, it remains protected even if an attacker bypasses perimeter defenses and exfiltrates the files. The stolen data would be unreadable and useless to the attackers without the corresponding decryption keys, neutralizing the extortion threat.

Timeline of Events

1
May 2, 2025

An unauthorized third party gains access to a Sandhills Medical Foundation server.

2
May 8, 2025

Sandhills discovers the security breach.

3
April 28, 2026

Sandhills begins sending initial notification letters to affected individuals.

4
June 2, 2026

An updated mailing of notification letters is sent.

Sources & References

Sandhills Medical Foundation Data Breach Lawsuit
ClassActionU (classactionu.org) June 4, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Data BreachRansomwareHealthcarePHIPIISandhills

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.