Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack
Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.
Gastroenterology Consultants of South Texas (Texas Digestive Specialists)
Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.
The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident, and the OCR breach portal indicates 44,579 individuals have been affected in total. The affected individuals have been offered complimentary credit monitoring services.
The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Infinite Services, New York
Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.
Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected. That decision ensured that notification letters were mailed promptly.
The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident was reported to the HHS’ Office for Civil Rights as affecting 31,742 individuals.
High Point Treatment Center, Massachusetts
High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has notified the Maine Attorney General about a recent data event that was detected on or around July 6, 2025. Unusual network activity was detected, and third-party digital forensics experts and legal counsel were retained to investigate the activity. High Point Treatment Center said the investigation “revealed that certain information may have been viewed or copied by an unauthorized individual as part of the event.”
The exposed data was reviewed, and on July 17, 2025, it was confirmed that the breached information included names, Social Security numbers, and dates of birth. The breach involved information collected as part of employment or prospective employment. The Maine Attorney General was told that 4,613 individuals were affected. Based on the notification letter, it appears that patient data was not compromised. Complimentary credit monitoring services have been offered to the affected individuals.
While ransomware was not mentioned in the breach report, the Abyss ransomware group claimed responsibility for the attack and added High Point Treatment Center to its dark web data leak site. The group claims to have exfiltrated 1.8 TB of data, although it has not uploaded any of the stolen data to its data leak site so far.
