Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Breach Exposes Sensitive Data at Sandhills Medical Foundation

Hospital corridor with staff and patients, calm yet concerned atmosphere.

On May 8, 2025, Sandhills Medical Foundation experienced a ransomware attack.

Ransomware attack on May 8, 2025

Sandhills Medical Foundation was the target of a ransomware attack on May 8, 2025. The organization has publicly acknowledged the incident as a ransomware event; the public notice and the facts released so far center on that classification and the resulting handling of potentially exposed information.

Notification to impacted individuals in April 2026

Impacted individuals were notified in April 2026, nearly eleven months after the date of the attack. That notification, according to the Foundation's account, also prompted an investigation into the incident. The sequence reported by the Foundation places the ransomware attack in May 2025 and the outreach to affected people in April 2026.

Types of information that may have been compromised

The Foundation reported that the following categories of information may have been exposed in the breach:

  • Dates of birth
  • Social Security numbers
  • Individual Taxpayer Identification Numbers
  • Driver's license numbers
  • Government issued identification numbers
  • Passport numbers
  • Financial information
  • Personal health information

Those eight categories are the specific data elements the Foundation identified as possibly compromised when it notified affected individuals.

Investigation launched after notification

The Foundation's notification in April 2026 is reported to have launched an investigation into the incident. The public statement links the outreach to impacted individuals and the initiation of investigative activity; beyond that, the Foundation's account provides the fact of the investigation without additional detail on scope, timeline, or investigative partners.

What this means for patients, regulators, and technology teams

  • Patients: Individuals whose records are included in the categories listed — particularly Social Security numbers, passport and driver's license numbers, financial information, and personal health information — face potential risks tied to identity and financial misuse. The Foundation's notification is the primary source for affected people to begin protective steps.
  • Regulators: The notification and the subsequent investigation are the Foundation's formal actions that regulators will observe as the public record of the incident. Regulators will likely track the investigation's findings and any remedial steps the Foundation reports.
  • Technology and security teams: The Foundation's characterization of the incident as ransomware frames the technical conversation. Security teams monitoring the case will be following the investigation to learn about the attack vector, any artifacts or indicators disclosed, and the specific data exposures confirmed by forensic work.

The facts released by Sandhills Medical Foundation are straightforward: a ransomware attack occurred on May 8, 2025; impacted individuals were notified in April 2026; and the Foundation identified specific categories of data that may have been compromised. The notification also initiated an investigation. What remains to be seen in public filings and subsequent statements are the investigation's findings, the number of individuals affected, and any follow-on remedial actions the Foundation will commit to reporting.

Original story