Yes — two San Antonio-area healthcare providers are facing a wave of patient lawsuits after the ransomware group known as The Gentlemen claimed to have stolen data from their systems in June 2026. Plaintiffs accuse South Texas Spinal Clinic PA (spinaldoc.com) and Soniva Dental LLC (sonivadental.com) of failing to protect sensitive patient information and delaying notification, according to Hoodline’s June 25, 2026 report citing the San Antonio Express-News.
Exposed data includes names, dates of birth, Social Security numbers, and medical records — a combination that raises both identity theft and HIPAA privacy concerns for patients who may not yet know whether their files were taken.
We scanned spinaldoc.com and sonivadental.com to assess the email and domain security posture relevant to this incident and follow-on impersonation risk.
What Happened
According to Hoodline and court filings referenced by the San Antonio Express-News:
- June 1, 2026 — Breach date alleged for Soniva Dental LLC (
sonivadental.com). - June 15, 2026 — Breach date alleged for South Texas Spinal Clinic PA (
spinaldoc.com). - June 2026 — The Gentlemen ransomware crew listed both providers on a public leak site as part of a double-extortion campaign: steal data first, encrypt systems second, then threaten publication if ransom is not paid.
- Late June 2026 — Multiple lawsuits landed in Texas state court. South Texas Spinal Clinic was named in at least six complaints; Soniva Dental in at least two. Plaintiffs seek class certification and damages exceeding $1 million per case.
The Gentlemen operate a ransomware-as-a-service (RaaS) model. ESET Research and other analysts describe affiliates equipped with GentleKiller, an EDR-killing toolkit that can disable hundreds of security processes in one pass — a pattern that makes rapid lateral movement and backup destruction especially dangerous for small clinics storing PHI on shared networks.

Breach Impact at a Glance
| Field | South Texas Spinal Clinic | Soniva Dental |
|---|---|---|
| Entity | South Texas Spinal Clinic PA | Soniva Dental LLC |
| Domain | spinaldoc.com | sonivadental.com |
| Sector | Spinal / orthopedic care | Dental practice |
| Alleged breach date | June 15, 2026 | June 1, 2026 |
| Lawsuits filed (as reported) | ≥ 6 | ≥ 2 |
| Damages sought | > $1M (class action) | > $1M (class action) |
| Data types exposed | Names, DOB, SSNs, medical records | Names, DOB, SSNs, medical records |
| Threat actor | The Gentlemen (RaaS) | The Gentlemen (RaaS) |
Data at Risk
Affected files may include:
- Full names and dates of birth
- Social Security numbers
- Medical records — treatment histories, diagnoses, and dental or spinal care documentation
- Billing and insurance identifiers tied to patient accounts
Because SSNs and medical data were involved, affected patients face elevated identity theft, medical identity misuse, and benefits fraud risk — not just routine phishing after a name-and-email leak.

Regulatory Reporting Status
Texas organizations that determine a breach affected 250 or more state residents must notify the attorney general as soon as practicable and not later than the 30th day under Texas Business & Commerce Code §521.053. HIPAA-covered providers must also report qualifying incidents to the HHS Office for Civil Rights.
| Requirement | Status (as of Hoodline publication, June 25, 2026) |
|---|---|
| Texas AG public breach listing | Neither clinic appeared listed |
| HHS OCR Breach Portal | Not yet updated for June incidents |
| Patient notification | Plaintiffs allege delayed or inadequate notice |
Judges will decide whether the complaints proceed as class actions. Cases remain pending in Texas state court and could be consolidated if courts find sufficient common facts.
Why Texas Healthcare Providers Should Care
These are not large hospital systems — they are regional specialty and dental practices with the same PHI obligations as major health networks. Texas clinics should note:
- SB 2610 and breach-notification rules apply when Texas patients’ SSNs and medical data are involved — regardless of practice size.
- Ransomware crews like The Gentlemen target small and mid-size providers precisely because EDR gaps, flat networks, and weak backup isolation are common.
- Post-breach impersonation targeting
@spinaldoc.comand@sonivadental.comstaff and patients peaks when notification letters are delayed — a window where fake credit-monitoring and billing phishing thrives.
Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit of both domains on July 5, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| spinaldoc.com | 54% | 50% | 15% | 45% | Average |
| sonivadental.com | 56% | 35% | 15% | 70% | Average |
Key findings:
- 54–56% overall (Average) — both domains sit well below the 100% ideal recommended for healthcare providers handling patient SSNs and medical correspondence.
- 35–50% Identity & Spoofing — partial DMARC/SPF posture on both domains; insufficient to reliably block spoofed messages impersonating clinic staff during an active breach-notification window.
- 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT reporting on either mail path.
- 100% Email Infrastructure — both route mail through Microsoft 365 / Exchange, a solid hosted platform that does not offset weak transport and identity gaps on its own.
- 45% vs. 70% Website Security —
spinaldoc.comshows weaker public-facing web controls thansonivadental.com; both remain below the 100% ideal.

Weak public-domain email controls do not cause a ransomware breach by themselves, but they amplify harm when attackers already hold patient contact data and lawsuits allege notification delays — exactly when fake patient-portal and billing phishing peaks.
Audit links:
Priority Actions
If you were a patient at either clinic and believe your data was exposed:
- Monitor bank statements, credit reports, and explanation-of-benefits notices for anything unfamiliar.
- Use IdentityTheft.gov to place fraud alerts or credit freezes — not links from unsolicited email or text.
- Save any breach notices you receive and document suspicious medical billing or new accounts opened in your name.
For Texas clinics and dental practices:
- Enforce phishing-resistant MFA on Microsoft 365, EHR, imaging, and billing admin accounts.
- Deploy DMARC
p=rejectwith aligned SPF on every patient-facing domain. - Add MTA-STS
mode=enforceand TLS-RPT before the next ransomware listing. - Segment clinical, billing, and backup systems; test restore paths against EDR-killing toolkits.
- Track incidents on the Texas OAG YTD dashboard and ransomware threat landscape.
Related Trackers
- Texas OAG YTD dashboard
- Top Texas counties email security (includes Bexar County)
- Ransomware threat landscape
- Breach monitoring guide
- All state AG trackers
Protect patient PHI, billing data, and clinic correspondence.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.
Sources: Hoodline — San Antonio patients sue after ransomware hits clinics · Texas Business & Commerce Code §521.053 · HHS OCR Breach Portal · South Texas Spinal Clinic — spinaldoc.com · Soniva Dental — sonivadental.com · EmailMeNow audit — spinaldoc.com · EmailMeNow audit — sonivadental.com