Cyber Incident Victim: Sandhills Center
Date:
Jul 2021
Location:
United States of America
Summary
A North Carolina-based public mental health services manager experienced a significant cybersecurity incident where threat actors allegedly exfiltrated 634 GB of data, auctioning it on a hacking forum. The attackers provided proof packs containing outdated records, including decades-old student evaluations and demographic information on over 42,600 individuals across multiple counties, alongside organizational documents confirming the victim’s affiliation. Despite evidence of compromised letterheads and client records—potentially involving sensitive identifiers like Social Security and Medicaid numbers—the organization remained unresponsive to inquiries. The breach’s scale and the age of exposed files complicate potential notifications, as obsolete records may hinder victim identification and necessitate vague public disclosures. State oversight agencies had not clarified responsibility for breach notifications at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2021, threat actors operating under the name "Marketo" claimed to have hacked Sandhills Center, a North Carolina-based Local Management Entity-Managed Care Organization (LME-MCO) that administers public mental health, disability, and substance use disorder services across nine counties. The attackers alleged they exfiltrated 634 GB of data from the organization and listed the stolen information for auction on their platform, which reportedly attracted 137 bids—though these claims remained unverified. Marketo initially provided a proof pack that lacked clear evidence linking the data to Sandhills Center, but after DataBreaches.net requested additional verification, a second archive was shared containing documents bearing Sandhills Center letterhead and materials consistent with its operations. These records included sensitive evaluations, such as a 1993 psychological assessment of a 16-year-old student, alongside demographic information on over 42,600 individuals served by the organization. Despite multiple attempts by DataBreaches.net to contact Sandhills Center executives and its compliance officer starting July 21—via both web form and email—the organization did not respond to inquiries about the breach. The North Carolina Department of Health and Human Services (NCDHHS), which oversees Sandhills Center as its agent, also did not reply to questions regarding breach notification responsibilities or applicable data retention laws.
The compromised data spanned decades, with many files appearing outdated—such as the 28-year-old student evaluation—raising concerns about unnecessary data retention and inadequate security measures for historical records. The breach exposed highly sensitive information, including intellectual assessments, behavioral reports, Medicaid numbers, Social Security numbers, and details related to developmental disability services, vocational rehabilitation programs, and mental health referrals for vulnerable populations, including pregnant women. The scale of the exfiltration (634 GB) prompted questions about Sandhills Center’s ability to detect large-scale data transfers, as no alarms or alerts were reported during the incident. Incident response efforts faced significant challenges due to the age of some records, complicating potential notifications to affected individuals. If notifications were required, the organization might resort to vague substitute notices or press releases, leaving individuals uncertain about what specific data was compromised. The breach highlighted risks of long-term data storage without robust safeguards and potential systemic vulnerabilities in the organization’s cybersecurity infrastructure.