Spindletop Center Hit by Rhysida Ransomware Attack in September 2025
In September 2025, Spindletop Center, a Texas-based behavioral health clinic, disclosed a data breach affecting an undisclosed number of patients. The incident, first detected on September 29, 2025, involved unauthorized access to sensitive information, including names, Social Security numbers, government-issued IDs, diagnoses, and case numbers.
The ransomware group Rhysida claimed responsibility for the attack, asserting it stole records of 100,000 individuals and demanding a 15 bitcoin ransom (approximately $1.65 million). Rhysida provided sample documents as proof of the breach, though Spindletop has not verified the group’s claims. The clinic’s investigation, concluded on December 3, 2025, determined that unauthorized access may have occurred as early as September 23, 2025. Spindletop’s breach notification did not mention credit monitoring or identity theft protection for affected individuals.
Rhysida, a ransomware-as-a-service (RaaS) operation active since May 2023, has been linked to 100 confirmed attacks (and 156 unconfirmed) since its emergence, compromising nearly 5.5 million records. The group’s average ransom demand is $1.17 million, with healthcare providers being frequent targets. In 2025 alone, Rhysida claimed 17 breaches, including four in the healthcare sector:
- Florida Lung, Asthma & Sleep Specialists (May 2025, 10,000 affected, $639,000 ransom)
- Cookeville Regional Medical Center (July 2025, 500+ affected, $1.15 million ransom)
- MedStar Health (September 2025, $3.1 million ransom)
The Spindletop breach is part of a broader surge in ransomware attacks on U.S. healthcare providers. In 2025, 104 confirmed incidents compromised over 8.8 million records, with an average ransom demand of $697,000. Other recent attacks include:
- Pulse Urgent Care Center (March 2025, 4,035 affected, $120,000 ransom by Medusa)
- Medical Center, LLP (Georgia) (October 2025, claimed by PEAR)
- University of Hawaii Cancer Center (August 2025)
Ransomware attacks on healthcare facilities disrupt critical systems, forcing providers to cancel appointments, divert patients, or revert to manual record-keeping. The fallout can jeopardize patient safety, privacy, and operational stability.
Spindletop Center, headquartered in Beaumont, Texas, operates five locations and serves over 16,000 patients annually, employing more than 500 staff. The clinic offers mental health services, substance use treatment, and support for intellectual and developmental disabilities.
Spindletop Center cybersecurity rating report: https://www.rankiteo.com/company/spindletop-center
Pulse Healthcare cybersecurity rating report: https://www.rankiteo.com/company/wearepulsehealthcare
Florida Behavioral Health Association cybersecurity rating report: https://www.rankiteo.com/company/florida-behavioral-health-association
"id": "SPIWEAFLO1768501917",
"linkid": "spindletop-center, wearepulsehealthcare, florida-behavioral-health-association",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '100,000 (claimed by Rhysida, '
'unverified by Spindletop)',
'industry': 'Healthcare',
'location': 'Beaumont, Texas, USA',
'name': 'Spindletop Center',
'size': '500+ full-time staff, serves 16,000+ patients '
'per year',
'type': 'Behavioral health clinic'}],
'customer_advisories': 'Notice to victims (PDF) submitted to Texas Attorney '
'General',
'data_breach': {'data_encryption': 'Yes (ransomware encrypted systems)',
'data_exfiltration': 'Yes (claimed by Rhysida)',
'number_of_records_exposed': '100,000 (claimed by Rhysida, '
'unverified)',
'personally_identifiable_information': 'Names, Social '
'Security numbers, '
'Government-issued ID '
'numbers',
'sensitivity_of_data': 'High (PII, PHI)',
'type_of_data_compromised': 'Personal and health information'},
'date_detected': '2025-09-29',
'date_resolved': '2025-12-03',
'description': 'Spindletop Center, a behavioral health clinic in Texas, '
'experienced a ransomware attack in September 2025, resulting '
'in a data breach that compromised sensitive personal '
'information. The ransomware group Rhysida claimed '
'responsibility and demanded a ransom of 15 bitcoin ($1.65 '
'million).',
'impact': {'brand_reputation_impact': 'Potential negative impact on brand '
'reputation',
'data_compromised': 'Names, Social Security numbers, '
'Government-issued ID numbers, Diagnoses, Case '
'numbers',
'downtime': 'Limited time',
'identity_theft_risk': 'High',
'operational_impact': 'System outage, potential disruption to '
'healthcare services',
'systems_affected': 'Systems and servers were inoperable for a '
'limited time'},
'investigation_status': 'Concluded',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (claimed by Rhysida)',
'ransom_demanded': '15 bitcoin ($1.65 million)',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Comparitech'},
{'source': 'Spindletop Center Notice to Victims (PDF)'}],
'regulatory_compliance': {'regulatory_notifications': 'Submitted to Texas '
'Attorney General'},
'response': {'communication_strategy': 'Notice to victims (PDF) submitted to '
'Texas Attorney General'},
'threat_actor': 'Rhysida',
'title': 'Spindletop Center Ransomware and Data Breach',
'type': 'Ransomware, Data Breach'}