What happened
A ransomware attack on Sandhills Medical Foundation, a Federally Qualified Community Health Center in McBee, South Carolina, is now the subject of a class action investigation, nearly a year after the incident was first discovered.
Sandhills Medical discovered the ransomware attack on May 8, 2025. A forensic investigation determined that an unauthorized third party accessed the organization’s servers directly and exfiltrated personal information belonging to an estimated 169,017 patients during a window between November 27 and 29, 2025. Exposed data includes patient names, personal health information, and dates of birth. Notification letters were sent to affected individuals, and the class action investigation was announced on May 3, 2026.
The litigation timeline illustrates a pattern that has become increasingly common in healthcare data breaches: an initial incident, a months-long forensic investigation, delayed notification, and eventual class action filing once affected individuals receive breach letters and seek legal recourse.
Who is affected
Approximately 169,017 Sandhills Medical patients face exposure of personal health information. As a community health center serving a rural South Carolina population, many affected individuals may have limited awareness of or access to identity protection resources. The class action investigation opens a potential legal liability window for the organization that extends well beyond the original incident response costs.
Why CISOs should care
The gap between the May 2025 discovery and the November 2025 unauthorized access window, followed by notification in early 2026 and litigation by May 2026, is a timeline that security and legal teams at healthcare organizations should study carefully. Each stage, discovery, investigation, notification, and litigation, carries its own regulatory and financial exposure, and the cumulative cost of a breach that takes this long to resolve consistently exceeds the cost of the initial incident response.
For CISOs at community health centers, FQHCs, and similar organizations that operate lean security programs, this case is a concrete illustration that ransomware incidents involving patient data do not end at remediation. They enter a legal and regulatory tail that can last years.
3 practical actions
- Build litigation readiness into your breach response framework from day one: Class action exposure begins the moment breach notification letters reach affected individuals. Ensure that legal counsel is engaged in parallel with forensic investigation, that document preservation protocols are activated immediately, and that communications during the incident are managed with litigation risk in mind.
- Define and monitor your HIPAA notification clock against the forensic investigation timeline: The 60-day HIPAA notification requirement runs from the date of discovery, not the date the investigation concludes. Healthcare organizations that allow forensic timelines to run past that window face regulatory penalties on top of litigation exposure. Set hard internal deadlines that force notification decisions before the regulatory clock expires.
- Treat community health and FQHC environments as high-priority targets requiring dedicated security investment: FQHCs hold the same categories of sensitive patient data as large health systems but typically operate with significantly fewer security resources. The combination of high data sensitivity and limited defensive capability makes this sector consistently attractive to ransomware operators, and the litigation that follows compounds the long-term cost of underinvestment.
Also in the news today:
- Ubuntu and Canonical Web Services Hit by DDoS Attack
- Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
- Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed
- Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure
- Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers
- Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
