Cyber Incident Victim: Sandhills Medical Foundation

Sandhills Medical Foundation, Inc. experienced a data breach involving a third-party vendor responsible for storing electronic data related to scheduling, billing, and reporting systems. The vendor notified Sandhills on January 8, 2021, about a ransomware attack that impacted Sandhills' systems. According to the vendor's investigation, attackers initially gained access to the vendor's systems using compromised credentials on September 23, 2020. The attackers subsequently accessed Sandhills' specific data within the vendor's environment on November 15, 2020, and exfiltrated this data prior to deploying ransomware on December 3, 2020. The breach timeline spanned over two months from initial unauthorized access to ransomware deployment, with Sandhills learning of the incident more than a month after the data theft occurred.

The compromised data included patient names, dates of birth, mailing addresses, email addresses, driver's license numbers, Social Security numbers, and claims information that could reveal diagnoses or medical conditions. Medical records, lab results, medication details, credit card numbers, and bank account information were confirmed unaffected. The vendor engaged law enforcement and a cybersecurity firm, paid the ransom to retrieve the data, and received assurances from attackers about data deletion. Post-incident, the vendor implemented enhanced security measures. Sandhills reported the breach to federal and state regulators including the U.S. Department of Health and Human Services and the South Carolina Department of Consumer Affairs, while also notifying national credit bureaus. Affected patients received individual notifications by mail with offers for one year of complimentary credit monitoring and identity theft protection services accessible through dedicated phone lines.