Back to news
Cybersecurity Alert
July 5, 2026 by EmailMeNow IT Consulting

Were South Texas Spinal Clinic & Soniva Dental Breached? We Scanned Their Domain Security

San Antonio patients sued South Texas Spinal Clinic and Soniva Dental after The Gentlemen ransomware group claimed June 2026 breaches. SSNs and medical records were exposed. Independent audits score spinaldoc.com at 54% and sonivadental.com at 56%.

Source: Hoodline · San Antonio Express-News

NewsData BreachRansomwareThe GentlemenTexasHealthcareSan AntonioCybersecurity
San Antonio healthcare clinics targeted by The Gentlemen ransomware group

Yes — two San Antonio-area healthcare providers are facing a wave of patient lawsuits after the ransomware group known as The Gentlemen claimed to have stolen data from their systems in June 2026. Plaintiffs accuse South Texas Spinal Clinic PA (spinaldoc.com) and Soniva Dental LLC (sonivadental.com) of failing to protect sensitive patient information and delaying notification, according to Hoodline’s June 25, 2026 report citing the San Antonio Express-News.

Exposed data includes names, dates of birth, Social Security numbers, and medical records — a combination that raises both identity theft and HIPAA privacy concerns for patients who may not yet know whether their files were taken.

We scanned spinaldoc.com and sonivadental.com to assess the email and domain security posture relevant to this incident and follow-on impersonation risk.

What Happened

According to Hoodline and court filings referenced by the San Antonio Express-News:

  • June 1, 2026 — Breach date alleged for Soniva Dental LLC (sonivadental.com).
  • June 15, 2026 — Breach date alleged for South Texas Spinal Clinic PA (spinaldoc.com).
  • June 2026 — The Gentlemen ransomware crew listed both providers on a public leak site as part of a double-extortion campaign: steal data first, encrypt systems second, then threaten publication if ransom is not paid.
  • Late June 2026 — Multiple lawsuits landed in Texas state court. South Texas Spinal Clinic was named in at least six complaints; Soniva Dental in at least two. Plaintiffs seek class certification and damages exceeding $1 million per case.

The Gentlemen operate a ransomware-as-a-service (RaaS) model. ESET Research and other analysts describe affiliates equipped with GentleKiller, an EDR-killing toolkit that can disable hundreds of security processes in one pass — a pattern that makes rapid lateral movement and backup destruction especially dangerous for small clinics storing PHI on shared networks.

Illustration: The Gentlemen ransomware leak-site extortion threat against San Antonio healthcare clinics

Breach Impact at a Glance

FieldSouth Texas Spinal ClinicSoniva Dental
EntitySouth Texas Spinal Clinic PASoniva Dental LLC
Domainspinaldoc.comsonivadental.com
SectorSpinal / orthopedic careDental practice
Alleged breach dateJune 15, 2026June 1, 2026
Lawsuits filed (as reported)≥ 6≥ 2
Damages sought> $1M (class action)> $1M (class action)
Data types exposedNames, DOB, SSNs, medical recordsNames, DOB, SSNs, medical records
Threat actorThe Gentlemen (RaaS)The Gentlemen (RaaS)

Data at Risk

Affected files may include:

  • Full names and dates of birth
  • Social Security numbers
  • Medical records — treatment histories, diagnoses, and dental or spinal care documentation
  • Billing and insurance identifiers tied to patient accounts

Because SSNs and medical data were involved, affected patients face elevated identity theft, medical identity misuse, and benefits fraud risk — not just routine phishing after a name-and-email leak.

Illustration: patient SSN and medical records exposed in San Antonio clinic ransomware breach

Regulatory Reporting Status

Texas organizations that determine a breach affected 250 or more state residents must notify the attorney general as soon as practicable and not later than the 30th day under Texas Business & Commerce Code §521.053. HIPAA-covered providers must also report qualifying incidents to the HHS Office for Civil Rights.

RequirementStatus (as of Hoodline publication, June 25, 2026)
Texas AG public breach listingNeither clinic appeared listed
HHS OCR Breach PortalNot yet updated for June incidents
Patient notificationPlaintiffs allege delayed or inadequate notice

Judges will decide whether the complaints proceed as class actions. Cases remain pending in Texas state court and could be consolidated if courts find sufficient common facts.

Why Texas Healthcare Providers Should Care

These are not large hospital systems — they are regional specialty and dental practices with the same PHI obligations as major health networks. Texas clinics should note:

  • SB 2610 and breach-notification rules apply when Texas patients’ SSNs and medical data are involved — regardless of practice size.
  • Ransomware crews like The Gentlemen target small and mid-size providers precisely because EDR gaps, flat networks, and weak backup isolation are common.
  • Post-breach impersonation targeting @spinaldoc.com and @sonivadental.com staff and patients peaks when notification letters are delayed — a window where fake credit-monitoring and billing phishing thrives.

Independent Cybersecurity Audit

We ran an EmailMeNow Cybersecurity Audit of both domains on July 5, 2026:

DomainOverallIdentityTransportWebsiteRisk
spinaldoc.com54%50%15%45%Average
sonivadental.com56%35%15%70%Average

Key findings:

  • 54–56% overall (Average) — both domains sit well below the 100% ideal recommended for healthcare providers handling patient SSNs and medical correspondence.
  • 35–50% Identity & Spoofing — partial DMARC/SPF posture on both domains; insufficient to reliably block spoofed messages impersonating clinic staff during an active breach-notification window.
  • 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT reporting on either mail path.
  • 100% Email Infrastructure — both route mail through Microsoft 365 / Exchange, a solid hosted platform that does not offset weak transport and identity gaps on its own.
  • 45% vs. 70% Website Securityspinaldoc.com shows weaker public-facing web controls than sonivadental.com; both remain below the 100% ideal.

Illustration: spinaldoc.com and sonivadental.com email security audits showing identity and transport weaknesses

Weak public-domain email controls do not cause a ransomware breach by themselves, but they amplify harm when attackers already hold patient contact data and lawsuits allege notification delays — exactly when fake patient-portal and billing phishing peaks.

Audit links:

Priority Actions

If you were a patient at either clinic and believe your data was exposed:

  • Monitor bank statements, credit reports, and explanation-of-benefits notices for anything unfamiliar.
  • Use IdentityTheft.gov to place fraud alerts or credit freezes — not links from unsolicited email or text.
  • Save any breach notices you receive and document suspicious medical billing or new accounts opened in your name.

For Texas clinics and dental practices:

  • Enforce phishing-resistant MFA on Microsoft 365, EHR, imaging, and billing admin accounts.
  • Deploy DMARC p=reject with aligned SPF on every patient-facing domain.
  • Add MTA-STS mode=enforce and TLS-RPT before the next ransomware listing.
  • Segment clinical, billing, and backup systems; test restore paths against EDR-killing toolkits.
  • Track incidents on the Texas OAG YTD dashboard and ransomware threat landscape.

Protect patient PHI, billing data, and clinic correspondence.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.


Sources: Hoodline — San Antonio patients sue after ransomware hits clinics · Texas Business & Commerce Code §521.053 · HHS OCR Breach Portal · South Texas Spinal Clinic — spinaldoc.com · Soniva Dental — sonivadental.com · EmailMeNow audit — spinaldoc.com · EmailMeNow audit — sonivadental.com