- Inc Ransom hit South Carolina healthcare provider Sandhills Medical on May 8, 2025.
- The breach wasn’t publicly disclosed until this week—344 days later—and affected 170,000 patients.
- Healthcare is the most-breached sector in America, with an average breach cost of $10.2 million.
The ransomware group Inc Ransom listed Sandhills Medical on its leak website in early June 2025—roughly a month after the healthcare provider says it discovered the attack. The stolen data didn’t become public until this week, when the company finally notified affected individuals and filed with the Maine Attorney General’s office. Total elapsed time between discovery and disclosure: 344 days.
Compromised information includes patient names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s licenses, passports, financial information, and personal health data. The company told the Maine AG’s office that nearly 170,000 people are affected, making this a medium-sized healthcare breach by count—but the type of data taken places it at the top of the risk pyramid.
Healthcare data commands the highest prices on dark web marketplaces. A single patient record can sell for $250 to $1,000 depending on completeness, because medical identities enable insurance fraud, prescription drug abuse, and tax refund theft in ways that credit card numbers alone cannot match. The FBI identified more than 2,100 ransomware incidents directed at U.S. critical infrastructure in 2025 alone, with healthcare consistently ranking as the most attacked sector.
Why Healthcare Keeps Getting Hit—and Keeps Waiting to Tell You
The delays between breach discovery and public disclosure have become a defining feature of the healthcare cybersecurity landscape. HHS has been pressing for faster notifications, and Congress has debated a 60-day federal breach notification standard—but healthcare organizations routinely operate outside that timeline, particularly when law enforcement requests secrecy to avoid tipping off perpetrators before an investigation is complete.
“We’re seeing longer dwell times, which means more time for attackers to exfiltrate data before being detected,” said one federal cybersecurity official familiar with healthcare sector incidents. That official requested anonymity because they were not authorized to discuss active investigations.
The average cost of a healthcare data breach hit $10.2 million in 2026, according to PropertyCasualty360—the highest of any industry for the 15th consecutive year. That figure reflects not just notification costs and credit monitoring, but regulatory fines, legal fees, and the operational disruption of taking systems offline during an incident. For a regional provider like Sandhills Medical, a $10 million incident could be existential. Compare that to Vect ransomware’s critical bug, where a coding error in the encryption routine meant even paying attackers couldn’t recover files—the worst outcome for any victim.
Inc Ransom: A Ransomware Operation That Works
Inc Ransom has been active since at least 2023 and operates as a ransomware-as-a-service group, meaning it leases its malware and infrastructure to affiliated operators in exchange for a cut of successful extortion payments. The group has targeted multiple healthcare organizations and has been linked to several high-profile U.S. hospital system breaches. Like most ransomware operations, it maintains a public leak site where it publishes data from victims who refuse to pay—creating a two-pressure system: operational disruption on one side, reputational and legal exposure on the other.
The Sandhills incident joins a string of recent healthcare sector attacks that have exposed hundreds of thousands of patient records. Cookeville Regional Medical Center in Tennessee disclosed a breach affecting 337,917 patients just weeks earlier, also linked to the Rhysida ransomware group. ADT got hacked three times in eight months, exposing 5.5 million customer records. Fidelity Brokerage Services was fined $1.25 million by Massachusetts regulators for a 2024 breach that exposed Social Security numbers and account data—another example of how even financial services firms struggle with breach disclosure timelines.
Sandhills Medical says it has since “worked with law enforcement, cybersecurity experts, and a forensics firm to investigate the intrusion and determine its impact.” The company has set up a dedicated notification page on its website. Patients who believe they may have been affected can check the company’s official statement for next steps. The investigation is ongoing, and the true scope of data exfiltration may not be known for months.
The Sandhills Medical breach notification is available on the company’s official website at sandhillsmedical.org. The Maine Attorney General’s filing lists 169,923 affected Maine residents.
