Cyber Incident Victim: Sandhills Medical Foundation

On May 8, 2025, Sandhills Medical Foundation identified a ransomware attack on its network. The organization promptly engaged law enforcement agencies, retained cybersecurity experts, and contracted a forensics firm to investigate the intrusion and assess its scope. Throughout the investigation, the foundation collaborated with these external parties to gather evidence and determine how the attackers gained access.

The investigative effort continued for several months as the team worked to establish which systems were compromised and what data had been exfiltrated. During this period, the foundation did not disclose the incident publicly while it focused on understanding the full impact. In early June 2025, the Inc Ransom ransomware group added Sandhills Medical to its leak site, signaling that it had obtained data from the breach.

Nearly one year after the initial detection, in May 2026, Sandhills Medical Foundation issued a public notice informing approximately 170,000 individuals that their personal information had been affected. The notice specified that compromised data included names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s licenses, government‑issued identification, passports, financial details, and personal health information. The foundation stated that the information belonged to select patients but acknowledged the broader impact as reported to the Maine Attorney General’s Office. The Inc Ransom group subsequently made the allegedly stolen files available for download on its leak website.