San Antonio patients are taking their grievances to court after a ransomware group claimed it broke into two local healthcare providers this month. The lawsuits target South Texas Spinal Clinic PA and Soniva Dental LLC, accusing both of failing to protect sensitive patient data and dragging their feet on telling people what happened. Plaintiffs say the incidents exposed highly personal information and are asking judges to treat the cases as class actions and award damages.
According to the San Antonio Express-News, multiple lawsuits have landed in recent weeks, and each seeks class certification and more than $1 million in damages. South Texas Spinal Clinic has been named in at least six suits, while Soniva Dental faces at least two. Plaintiffs say breaches on or about June 15 and June 1 exposed names, dates of birth, Social Security numbers and medical records. The complaints allege the ransomware group known as the Gentlemen listed victims on a public leak site and that the clinics waited too long to notify patients.
Researchers Say the Gentlemen Crew Comes Well Armed
ESET Research has found that the outfit behind the leak runs a ransomware-as-a-service operation, renting out its tools to affiliates. Those partners get an EDR-killing toolkit dubbed GentleKiller that can disable hundreds of security processes in one go. ESET and other analysts describe the Gentlemen group as using double-extortion tactics: stealing data before encrypting systems, then threatening to dump it online, and rapidly weaponizing vulnerable drivers to slip past defenses. That combination of data theft and anti-recovery tools raises the stakes when protected health information is on the line.
Why That Spells Trouble for Clinics
Trend Micro and other threat analysts say the Gentlemen operation has grown quickly since 2025, leaning on worm-like lateral movement and "bring-your-own-vulnerable-driver" techniques that let attackers race across a network. For regional medical and dental practices that keep patient Social Security numbers and medical histories on shared systems, those tactics can mean rapid, wide exposure and even damaged backups. The lawsuits argue those well known risks were present here, alleging the clinics did not put adequate cybersecurity measures in place.
Legal Duties for Texas Providers
Under Texas law, organizations that determine a breach affected at least 250 state residents must notify the attorney general “as soon as practicable and not later than the 30th day,” and HIPAA-covered providers must separately report breaches to the HHS Office for Civil Rights. The statute lays out the reporting details and is tied to the AG’s online form at Texas Business & Commerce Code §521.053, and HHS maintains a public breach portal for HIPAA incidents. The San Antonio Express-News reported that, as of its publication, neither company appeared in the state AG’s public listing and the federal breach portal had not yet been updated to reflect the June incidents.
What Patients Can Do Right Now
While the court fights and any government investigations play out, experts say patients who think they might be caught up in the breaches should keep a close eye on their finances and healthcare records. That means monitoring bank and credit card statements, reviewing medical benefit explanations and checking credit reports for anything that looks off. The Federal Trade Commission’s IdentityTheft.gov site walks people through placing fraud alerts or credit freezes and building a recovery plan. Patients who spot signs of identity theft are urged to save any notices they receive and consider filing reports with local law enforcement and the FTC to document potential harm.
At least one plaintiffs’ firm and other lawyers have launched investigations and are urging potential victims to come forward. Judges will decide whether to let the complaints proceed as class actions. The cases are now pending in state court and could be consolidated if judges find enough common ground, a test of how smaller healthcare providers are held to account after modern ransomware intrusions.
