A ransomware attack hit Sandhills Medical Foundation's systems in May 2025. Most patients did not find out until nearly a year later.
On April 28, 2026, Sandhills Medical Foundation, Inc., a federally qualified community health center serving residents across McBee, Pageland, Cheraw, and communities throughout Chesterfield County, South Carolina, began notifying a select group of patients that their personal information had been accessed by an unauthorized third party. The attack had been discovered on May 8, 2025, nearly eleven months earlier. According to cybersecurity researchers who tracked the incident, the ransomware group INC Ransom publicly claimed responsibility in June 2025 and posted stolen data to the dark web shortly after. Those claims come from third-party threat intelligence sources and have not been confirmed in Sandhills Medical's official disclosure.
If you or someone you know received a notification from Sandhills Medical or believes you should have, Cory Watson Attorneys is reviewing claims and offering free consultations with no obligation.
What Happened
On May 8, 2025, Sandhills Medical discovered it had been the victim of a ransomware attack. The organization immediately secured its network and launched an investigation with the help of cybersecurity experts, law enforcement, and an independent forensic firm. That investigation confirmed an unauthorized third party had accessed its server directly and obtained personal information for select patients.
Sandhills then conducted an extensive data mining process to identify who was affected. Those individuals were notified directly by U.S. mail. Sandhills Medical published its official data security incident notice as part of that notification process.
The attack happened in May 2025, but the notification did not begin until April 2026, nearly eleven months later. During that entire period, patients had no way of knowing their information may have been in the wrong hands.
What Information Was Taken
According to Sandhills Medical's official disclosure, the following categories of information were compromised:
- Dates of birth
- Social Security numbers
- Individual Taxpayer Identification Numbers (ITINs)
- Driver's license numbers
- Government-issued identification
- Passport information
- Financial account information
- Personal health information (PHI)
The consequences of this kind of breach do not stop when the attack ends. Social Security numbers and ITINs cannot be reissued and can be exploited for years. Personal health information can be used to bill insurance for services that never happened or to obtain prescription drugs in someone else's name. That type of fraud is hard to catch and even harder to undo.
This is not a theoretical concern. A prior Sandhills Medical breach resulted in a patient's stolen information being used to fraudulently apply for a loan in her name, a harm serious enough to warrant federal court action.
Who Was Affected
The breach affected a select group of patients whose personal information was stored on Sandhills Medical's systems. Third-party breach-tracking sources report a total of 169,017 affected individuals, though Sandhills Medical's own notice does not specify a figure. The organization serves patients across McBee, Pageland, Cheraw, and surrounding communities in Chesterfield County.
If you were ever a patient, guarantor, or had any financial relationship with Sandhills Medical Foundation, your data may have been accessed. Affected individuals were notified by U.S. mail. If you believe you should have received a letter but did not, contact Sandhills Medical directly or speak with an attorney.
Sandhills Medical is providing all affected individuals with access to credit monitoring and proactive fraud assistance services at no charge. Details are included in the notification letter. A support line is available at 1-833-877-9639, Monday through Friday, 8 a.m. to 8 p.m. Eastern time, excluding holidays.
In a statement, Amanda Duke, CEO of Sandhills Medical, said the organization has responded with fully updated IT safeguards and protocols and sincerely regrets any concern the incident caused.
Before enrolling in any services or responding to the notification letter, speak with a data breach attorney first. Accepting offers from the organization responsible for the breach can affect your legal rights.
Why the Notification Timeline Matters Legally
The gap between discovery and notification is not just frustrating. It may be legally significant.
Under S.C. Code Section 39-1-90, South Carolina businesses must notify affected residents without unreasonable delay. HIPAA's Breach Notification Rule requires covered healthcare providers to notify affected individuals within 60 days of discovering a breach. Sandhills Medical discovered the breach on May 8, 2025, but notification did not begin until April 2026, nearly eleven months later. Whether that satisfies the legal standard is a question a court may have to answer.
South Carolina residents have a private right of action under the state statute. A negligent violation supports a claim for actual damages, and a willful violation opens the door to broader civil remedies. The state can impose fines of up to $1,000 per affected resident, and HIPAA penalties can reach $1.5 million per violation category per year.
Steps to Take Right Now
1. Talk to an attorney before accepting anything. Enrolling in Sandhills Medical's credit monitoring offer without legal guidance could limit your options.
2. Freeze your credit. Contact Equifax, Experian, and TransUnion to place a free credit freeze or fraud alert. This prevents new accounts from being opened in your name.
3. Pull your free credit reports. Visit annualcreditreport.com or call 1-877-322-8228. Look for accounts or inquiries you do not recognize.
4. Review your health insurance statements. Check every Explanation of Benefits (EOB) for services you did not receive. This is a key sign of medical identity theft.
5. Watch for phishing. Criminals use real breach notifications to craft follow-up scams. Be skeptical of any unsolicited contact referencing Sandhills Medical.
6. Report fraud. File a complaint with the FTC at identitytheft.gov and contact the South Carolina Department of Consumer Affairs.
Frequently Asked Questions
How do I know if I was affected? If you were a patient or had a financial relationship with Sandhills Medical at any time, your data may have been compromised. Notification letters were mailed directly to affected individuals. If you did not receive one, a change of address may be the reason. Contact Sandhills Medical or speak with an attorney.
Should I enroll in the free credit monitoring offered? Not before speaking with an attorney. Accepting that offer may affect your ability to pursue a legal claim.
Can I file a lawsuit? If the breach resulted from inadequate security practices or the notification delay caused you harm, you may have legal grounds. An attorney can assess your specific situation at no cost.
How long do I have to take action? Statutes of limitations vary by claim type. Do not wait. Contact an attorney as soon as possible to protect your options.
About Cory Watson Attorneys
Our data breach attorneys at Cory Watson Attorneys have been representing clients for more than 44 years, recovering over $4 billion for individuals whose rights were violated by institutional negligence.
Learn more about us and how we fight for clients across Alabama and the Southeast. Our team is actively reviewing claims related to the Sandhills Medical Foundation breach. Contact Cory Watson Attorneys today for a free case evaluation. There is no cost, no obligation, and no pressure.