ZCyberNews
中文
Industry NewsHigh2 min readInc Ransom

Inc Ransom Breach at Sandhills Medical Exposes 170K Records

Inc Ransom group breached Sandhills Medical in 2025; the South Carolina healthcare provider took nearly a year to disclose the incident, affecting 170,000 patients.

Inc Ransom Breach at Sandhills Medical Exposes 170K Records

Executive Summary

Sandhills Medical Foundation, a South Carolina-based healthcare provider, disclosed a ransomware breach that exposed the personal and medical information of approximately 170,000 individuals. The incident, attributed to the Inc Ransom group, occurred in early 2025, but the organization waited nearly 11 months before issuing public notifications — a delay that has drawn scrutiny from regulators and affected patients. According to SecurityWeek, the breach notification was filed with the U.S. Department of Health and Human Services (HHS) in late April 2026.

Technical Analysis

The breach involved unauthorized access to Sandhills Medical's network, followed by the exfiltration of sensitive data. The exposed records include patient names, Social Security numbers, dates of birth, medical diagnoses, treatment information, and health insurance details. Inc Ransom, a ransomware group first observed in 2023, typically employs double-extortion tactics — encrypting systems while threatening to leak stolen data unless a ransom is paid. It remains unclear whether Sandhills Medical paid any ransom or if the group published the stolen data publicly. The organization has not released technical details about the initial access vector, such as whether a phishing campaign, unpatched vulnerability, or compromised credentials was used.

Mitigations & Recommendations

Healthcare organizations should treat this incident as a case study in the consequences of delayed disclosure. Defenders should prioritize network segmentation to limit lateral movement, deploy endpoint detection and response (EDR) tools with behavioral analytics, and enforce multi-factor authentication (MFA) on all remote access and administrative accounts. Given Inc Ransom's known use of Cobalt Strike and living-off-the-land binaries, monitoring for anomalous PowerShell execution and scheduled task creation is advised. Organizations should also review their incident response plans to ensure breach notification timelines comply with HIPAA and state regulations — Sandhills Medical's 11-month gap suggests potential compliance failures.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#inc-ransom#ransomware#healthcare-breach#sandhills-medical#data-exfiltration

Related Articles

Foxconn Confirms Ransomware Attack on North American FactoriesHIGH
Industry News

Foxconn Confirms Ransomware Attack on North American Factories

Nitrogen ransomware gang claims 8TB of stolen data from Foxconn's North American factories, including technical files from major tech clients.

2 min readNitrogen
Instructure Pays Ransom to ShinyHunters After Canvas BreachCRITICAL
Industry News

Instructure Pays Ransom to ShinyHunters After Canvas Breach

Instructure paid ShinyHunters after two Canvas intrusions stole data from 9,000 institutions. Congress launched an investigation into the ed-tech vendor's incident response.

3 min readShinyHunters
Instructure Pays ShinyHunters to Halt 3.65TB Canvas Data LeakHIGH
Industry News

Instructure Pays ShinyHunters to Halt 3.65TB Canvas Data Leak

ShinyHunters agreed to delete 3.65TB of stolen Canvas data after Instructure paid an undisclosed ransom. The breach affects thousands of schools and universities worldwide.

3 min readShinyHunters