Back

McLeod Health Data Breach Exposes 16K Patients' Personal and Health Information

Severity: Medium (Score: 51.9)

Sources: Classaction, consumer.sc.gov, Claimdepot

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: data, breach, mcleod, health, dillon, attorneys, family

Severity indicators: breach, data breach

Summary

McLeod Health reported a data breach affecting 16,788 patients from its Dillon Family Medicine location. The breach involved unauthorized access to a decommissioned server between October 17 and October 18, 2025, which went undetected until March 5, 2026. A ransomware group, Qilin, claimed responsibility for the attack on April 25, 2026. The compromised data includes names, dates of birth, Social Security numbers, and health-related information such as diagnoses and treatment details. Notification letters were sent to affected individuals on June 4, 2026, and attorneys are investigating potential class action lawsuits. The breach did not impact any active McLeod Health systems. Key Points: • 16,788 patients' personal and health information compromised in the breach. • Unauthorized access occurred on a decommissioned server in October 2025. • Ransomware group Qilin claimed responsibility for the attack.

Detailed Analysis

**Impact** The breach affected 16,788 patients of McLeod Health’s Dillon Family Medicine location in South Carolina. Exposed data includes personally identifiable information (PII) such as names, dates of birth, and Social Security numbers, as well as protected health information (PHI) including diagnoses, medications, test results, images, health insurance details, and treatment information. The incident was confined to a single decommissioned server and did not impact active McLeod Health systems. Notification to affected individuals began on June 4, 2026, with legal action being considered by affected parties. **Technical Details** Unauthorized access occurred between October 17 and 18, 2025, targeting a server in the process of being decommissioned at Dillon Family Medicine. The breach was discovered on March 5, 2026, when a suspicious file was found during decommissioning activities. On April 25, 2026, the ransomware group Qilin claimed responsibility via the Tor network, stating they had obtained the data. No specific malware, CVEs exploited, or additional infrastructure details were provided. **Recommended Response** Organizations should monitor for indicators related to Qilin ransomware activity and review access logs for unusual activity around decommissioned or legacy systems. Harden decommissioning procedures to ensure secure data destruction and restrict access to retired infrastructure. Patients and staff should be advised to watch for phishing attempts and identity theft. No specific patches or signatures were identified in the available information.

Source articles (3)

  • Dillon Family Medicine Data Breach: PHI and PII Compromised — Claimdepot · 2026-06-05
    Dillon Family Medicine, a medical practice operating as part of McLeod Health in Dillon, South Carolina, disclosed a data breach involving unauthorized access to a server containing patient informatio…
  • McLeod Health Data Breach Affects 16K; Attorneys Investigating — Classaction · 2026-06-08
    Attorneys working with ClassAction.org are looking into whether a class action lawsuit can be filed in light of the McLeod Health data breach. As part of their investigation, they need to hear from in…
  • Security Breach Notices — consumer.sc.gov · 2026-06-08

Timeline

  • 2025-10-17 — Unauthorized access to Dillon Family Medicine server: An unauthorized party accessed a server containing patient information during a brief window.
  • 2026-03-05 — Suspicious file discovered on server: A suspicious file was found during the decommissioning process, leading to an investigation.
  • 2026-04-14 — Investigation confirms unauthorized access: An investigation confirmed that unauthorized access had occurred on the Dillon Family Medicine server.
  • 2026-04-25 — Qilin claims responsibility for the breach: The ransomware group Qilin posted on the dark web claiming to have obtained McLeod Health's data.
  • 2026-06-04 — Notification letters sent to affected patients: McLeod Health began notifying individuals whose information was compromised in the breach.

Related entities

  • Data Breach (Attack Type)
  • Ransomware (Attack Type)
  • Dillon Family Medicine (Company)
  • McLeod Health (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • classaction.org (Domain)
  • Qilin (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed