Heart South Cardiovascular Group Hit by Second Data Breach in Two Years, Rhysida Ransomware Group Claims Responsibility
Heart South Cardiovascular Group, a central Alabama-based healthcare provider, has notified 46,666 individuals of a data breach discovered in November 2025 its second in as many years. The cybercriminal group Rhysida claimed responsibility for the attack on November 10, 2025, posting sample documents on its dark web leak site, including ID scans and medical records, as proof of the theft. The group demanded a $630,000 ransom (six bitcoin) in exchange for not releasing the stolen data.
Heart South acknowledged the breach in a notice to affected individuals, stating that while its investigation found no evidence of unauthorized network access, a limited amount of data was later posted online. The hospital has not confirmed Rhysida’s involvement or disclosed whether a ransom was paid. As part of its response, Heart South is offering free credit monitoring and identity theft restoration services through Kroll.
This incident follows a May 2024 breach at the same organization, which exposed the personal information of 20,577 individuals though no ransomware group claimed responsibility at the time.
Rhysida: A Growing Threat to Healthcare
First emerging in May 2023, Rhysida operates a ransomware-as-a-service (RaaS) model, providing affiliates with malware and infrastructure to launch attacks in exchange for a cut of ransom payments. The group has claimed 265 ransomware attacks, with 108 confirmed by targeted organizations. Of those, 25 targeted healthcare providers, impacting nearly 4 million individuals. Rhysida’s average ransom demand against hospitals is $1.1 million, with recent demands including:
- $3.1 million from MedStar Health (MD, September 2025)
- $1.65 million from Spindletop Center (TX, September 2025)
- $660,000 from MACT Health Board (CA, November 2025)
None of the affected organizations have disclosed whether they paid the ransoms.
Ransomware’s Escalating Impact on U.S. Healthcare
In 2025 alone, researchers tracked 132 confirmed ransomware attacks on U.S. healthcare providers, exposing the data of 11.3 million individuals. Recent incidents include:
- Westminster Village Greenwood (14,386 affected, February 2025, claimed by Inc Ransomware)
- MedPeds Associates of Sarasota (21,430 affected, September 2025, claimed by Beast)
- Austin Plastic & Reconstructive Surgery (4,014 affected, June 2025, claimed by ThreeAM)
- Rocky Mountain Care (January 2025, claimed by Qilin)
- Southern Illinois Dermatology (November 2025, claimed by Insomnia)
Ransomware attacks on healthcare systems can disrupt critical operations, forcing hospitals to revert to manual processes, cancel appointments, and divert patients. The financial and operational strain often leaves providers with little choice but to pay or face prolonged downtime, data loss, and heightened risks to patient safety.
Heart South Cardiovascular Group operates three clinics in Clanton, Shelby, and Bibb, Alabama, specializing in heart and vascular care.
Source: https://www.comparitech.com/news/heart-south-cardiovascular-group-warns-46000-people-of-data-breach/
Dell Medical School at the University of Texas at Austin cybersecurity rating report: https://www.rankiteo.com/company/the-dell-medical-school-at-the-university-of-texas-at-austin
Heart South Cardiovascular Group, PC cybersecurity rating report: https://www.rankiteo.com/company/heart-south-cardiosvacular-group-pc
Southern Skies Dermatology cybersecurity rating report: https://www.rankiteo.com/company/southern-skies-dermatology
"id": "THEHEASOU1775581189",
"linkid": "the-dell-medical-school-at-the-university-of-texas-at-austin, heart-south-cardiosvacular-group-pc, southern-skies-dermatology",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '46666',
'industry': 'Healthcare',
'location': 'Clanton, Shelby, Bibb, Alabama, USA',
'name': 'Heart South Cardiovascular Group',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Notice to affected individuals, offer of free credit '
'monitoring and identity theft restoration services',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': ['ID scans', 'Medical records'],
'number_of_records_exposed': '46666',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, Medical Records)',
'type_of_data_compromised': 'ID scans, medical records'},
'date_detected': '2025-11',
'description': 'Heart South Cardiovascular Group, a central Alabama-based '
'healthcare provider, experienced a data breach in November '
'2025, with the Rhysida ransomware group claiming '
'responsibility. The breach affected 46,666 individuals and '
'involved the theft of sensitive documents, including ID scans '
'and medical records.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'ID scans, medical records',
'identity_theft_risk': 'Yes',
'operational_impact': 'Disruption of operations, potential manual '
'processes, appointment cancellations, '
'patient diversions'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '630000',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Dark web leak site (Rhysida)'}],
'response': {'communication_strategy': 'Notice to affected individuals',
'third_party_assistance': 'Kroll (credit monitoring and identity '
'theft restoration services)'},
'threat_actor': 'Rhysida',
'title': 'Heart South Cardiovascular Group Data Breach',
'type': 'Ransomware'}