A ransomware group accessed a Dillon Family Medicine server for two days in October 2025. South Carolina patients were not notified until nearly two months later.
On March 5, 2026, McLeod Health discovered a suspicious file on a Dillon Family Medicine server that was being decommissioned. An investigation confirmed that an unauthorized party had accessed the server between October 17 and October 18, 2025. The breach was later linked to the Qilin ransomware group, which publicly claimed responsibility and posted an extortion notice threatening to leak stolen data.
McLeod Health began mailing notification letters to the 16,788 affected patients on June 4, 2026, nearly eight months after the unauthorized access occurred, and two months after McLeod Health allegedly discovered it. If you received a notice or were ever a patient at Dillon Family Medicine in Dillon, SC, your most sensitive personal and medical information may have been exposed for months without your knowledge.
Cory Watson Attorneys is reviewing claims from affected patients and offering free, no-obligation consultations.

What Happened
Dillon Family Medicine (McLeod Health dba Dillon Family Medicine), located at 603 N 6th Avenue, Dillon, SC 29536, is a primary care practice within McLeod Health, a hospital and healthcare network serving communities across the Carolinas. As part of providing care, Dillon Family Medicine stored sensitive personal and health information for thousands of patients on its servers.
On October 17 and 18, 2025, an unauthorized party accessed one of those servers. The breach was not discovered until March 5, 2026, when a suspicious file was found on the server while it was being taken offline. McLeod Health launched an investigation with third-party cybersecurity experts and notified law enforcement. The investigation confirmed the scope of the access on April 15, 2026.
According to McLeod Health's official notice, the breach was limited to one server and did not affect active McLeod Health systems, including the current electronic medical record system. However, the accessed server contained years of patient records containing highly sensitive information.
Third-party threat intelligence trackers, including Ransomware.live indexed the Qilin ransomware group's public claim of responsibility, which included a threat to release stolen data unless negotiations were initiated.
What Information Was Exposed
According to McLeod Health's own disclosure, the following categories of information may have been compromised for 16,788 South Carolina residents:
- Full name and date of birth
- Social Security number
- Diagnoses
- Medications
- Test results and medical images
- Health insurance information
- Treatment information
This combination of personal and health data is among the most sensitive that can be stolen. Social Security numbers cannot be replaced without proof of ongoing harm from misuse. Medical records, diagnoses, and treatment histories can be used to commit insurance fraud, obtain prescription medications under another person's identity, or construct detailed profiles for targeted scams. Once that information is published on the dark web, it does not disappear.
Nearly Two Months Passed Before Patients Were Notified
The timeline in this case raises serious legal questions. The unauthorized access occurred on October 17 and 18, 2025, but was not discovered until March 5, 2026. The investigation concluded on April 15, 2026, and notification letters were not mailed until June 4, 2026.
HIPAA's Breach Notification Rule requires covered healthcare providers to notify affected individuals within 60 days of discovering a breach.
Under that standard, notification should have begun no later than May 4, 2026. Letters did not go out until June 4, 2026, more than 30 days past that deadline.
South Carolina law independently requires prompt notification under S.C. Code Section 39-1-90, which obligates businesses to notify affected residents without unreasonable delay when their personal information has been compromised. Whether McLeod Health's combined timeline from discovery to notification satisfies that standard is a question a court may ultimately decide.
Every week without notice was another week patients could not place credit freezes, monitor their health insurance accounts, or flag suspicious activity with their banks.
The Qilin Ransomware Group
The Qilin ransomware group has been active since at least 2022 and has been linked to attacks on hospitals in multiple countries, including NHS hospitals in London. Qilin operates a double-extortion model: it encrypts victim files and threatens to publish stolen data publicly if ransom demands are not met.
Qilin publicly claimed responsibility for the Dillon Family Medicine attack and posted an extortion notice on its dark web leak site. That claim was indexed by third-party threat intelligence trackers and has not been disputed in McLeod Health's official disclosure, meaning patient records may already be circulating on criminal marketplaces.
Do You Qualify? Answer These Questions
If you were a patient at Dillon Family Medicine, Cory Watson Attorneys wants to hear from you. Before reaching out, consider the following:
- Were you a patient of Dillon Family Medicine at any time in the previous 15 years?
- Have you noticed any unauthorized activity in your accounts?
- Have you received a notice from McLeod Health about this breach?
- What is the best time to reach you, Monday through Friday?
If you answered yes to any of the first three questions, you may have a legal claim
Contact Cory Watson Attorneys today for a free, no-obligation case evaluation: (877) 562-0000.
Steps to Take Right Now
Talk to an attorney before accepting anything from McLeod Health. If McLeod Health or Dillon Family Medicine offers credit monitoring or other services in response to the breach, accepting without legal guidance could affect your ability to pursue a claim.
Freeze your credit. Contact Equifax, Experian, and TransUnion to place a free credit freeze. This prevents new accounts from being opened in your name without your direct authorization.
Pull your free credit reports. Visit annualcreditreport.com and review every account and inquiry for activity you do not recognize.
Review your health insurance statements. Check every Explanation of Benefits for services you did not receive. Medical identity theft often surfaces through insurance claims for procedures that never happened.
Watch for phishing attempts. Criminals use stolen data to craft convincing follow-up scams. Be skeptical of unsolicited calls, emails, or texts referencing McLeod Health or Dillon Family Medicine.
Report fraud. File a complaint with the FTC at identitytheft.gov and report any suspicious activity to your financial institutions immediately.
Frequently Asked Questions
How do I know if I was affected?
McLeod Health began mailing notification letters to 16,788 affected patients on June 4, 2026. If you were a patient at Dillon Family Medicine in Dillon, SC, your information may have been on the accessed server. If you did not receive a letter, a change of address or mailing error may be the reason. Contact McLeod Health at 888-504-8534 or speak with an attorney.
Should I accept the free services McLeod Health is offering?
Not before speaking with a data breach attorney. Accepting offers from the organization responsible for a breach can affect your legal rights and limit your options for compensation.
Can I file a lawsuit?
If your information was exposed in the Dillon Family Medicine breach, you may have grounds for a legal claim based on inadequate security practices, HIPAA violations, or the delayed notification. An attorney can evaluate your situation at no cost.
How long do I have to take action?
Statutes of limitations vary by claim type and state. Do not delay. Contact an attorney as soon as possible to understand your rights and protect your options.
About Cory Watson Attorneys
Our data breach attorneys at Cory Watson Attorneys have been representing clients for more than 44 years, recovering over $4 billion for individuals whose rights were violated by institutional negligence. We handle data breach cases across Alabama, South Carolina, and the Southeast, and our team is actively reviewing claims related to the Dillon Family Medicine data breach.
Disclaimer: Reading this content does not create an attorney-client relationship. Laws vary by jurisdiction and individual circumstances differ.