Sandhills Center

Sandhills Center, also known as the North Carolina Mental Health Service Provider, operates as a public manager of mental health services within the state of North Carolina, United States. The organization's core function involves the administration and coordination of mental health care delivery across a regional footprint, serving populations in multiple counties. Its operational scope encompasses the management of client records and the provision of services that inherently handle highly sensitive personal and medical information. The scale of its data stewardship is indicated by the significant number of individuals whose information was implicated in a known security incident, affecting over 42,600 people. This figure suggests a substantial client base and a corresponding responsibility for protecting extensive archives of personal data, including demographic details and clinical documentation. The nature of its work places it within a critical sector where data privacy is paramount, subject to both state oversight and federal health information regulations. Its public role implies a function within the state's mental health infrastructure, likely acting as a key access point for services for residents in its designated areas.

A defining and publicly documented event for the organization is a major cybersecurity incident that occurred in late July 2021. During this breach, threat actors allegedly exfiltrated 634 gigabytes of the organization's data and subsequently auctioned it on a hacking forum. The attackers provided proof packs containing organizational documents that confirmed the victim's identity, alongside client records. The exposed data included decades-old student evaluations and demographic information, with the potential compromise of highly sensitive identifiers such as Social Security numbers and Medicaid information. The advanced age of many records complicated the breach's aftermath, as obsolete files hindered straightforward victim identification and likely necessitated cautious public disclosures. Notably, the organization remained unresponsive to inquiries following the public revelation of the attack, a stance that drew attention to its incident response practices. This event underscores the severe risks associated with long-term data retention in the healthcare sector and the operational challenges an entity faces when legacy systems contain vast quantities of outdated personal information. The incident also highlighted ambiguities in state-level responsibilities for breach notification for such public health service managers at the time of the event.