// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-newsDTG 0600Z
ColdRecon / Breach Radar / Sandhills Medical
Breach Record

Sandhills Medical

DISCLOSED 2025-05-01 · RANSOMWARE · 170,000 RECORDS EXPOSED · RANSOMWARE

The Inc Ransom ransomware gang breached Sandhills Medical in May 2025, stealing data on 170,000 patients. The healthcare provider delayed notifying affected individuals for 344 days. The attack involved ransomware, indicating endpoint compromise.

The record

What we know

Disclosed
2025-05-01
Attack vector
Ransomware
Sector
Healthcare
Records exposed
170,000
Data classes exposed
patients' data
RANSOMWARE ENDPOINT INVOLVED
ColdRecon assessment

Could a positive-security control have prevented this?

Verdict · would prevent · opinion

A positive-security allowlist model that rejects unauthorized changes would likely have blocked the ransomware execution, as it would prevent unknown binaries or modifications from running on endpoints.

Our assessments are opinion, grounded in the cited public facts. Read them critically.

Sources

Cited reporting

Similar vector · recent

Other ransomware breaches on file

This page is the permanent ColdRecon entry for the Sandhills Medical disclosure. It updates if new public reporting emerges. All tracked breaches →

Sandhills Medical just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →