Heart South Cardiovascular Group reports second ransomware breach in 18 months

A small Alabama cardiovascular practice has disclosed its second data breach in two years after the Rhysida ransomware group claimed responsibility and posted sample data to a dark web leak site.

What happened

Heart South Cardiovascular Group, a three-clinic cardiovascular practice serving central Alabama, has notified 46,666 people of a data breach that occurred in November 2025. According to Comparitech, the Rhysida ransomware group posted a claim on its dark web leak site on November 10, 2025, stating it had stolen data from Heart South and demanding six bitcoin in ransom, worth approximately $630,000 at the time. To support its claim, Rhysida published sample images it said were documents from Heart South, including ID scans and medical records. Heart South stated in its breach notice that on or about November 11, 2025, it learned that an unauthorized party claimed to possess its data. The organization said its investigation did not find evidence of unauthorized network access or data theft, however confirmed that a limited amount of its data had been posted on the dark web. Heart South has not confirmed Rhysida's claim, and it is not known whether a ransom was paid. Affected individuals are being offered free credit monitoring and identity theft restoration through Kroll.

Going deeper

The November 2025 incident was Heart South's second documented breach. A May 2024 cyberattack led the practice to notify 20,577 people of a separate compromise, with no ransomware group claiming responsibility for that earlier incident. Heart South has not disclosed what specific data types were exposed in the November 2025 breach, and its investigation found no direct evidence of network intrusion beyond the dark web posting. The gap between Rhysida's November 10 claim and Heart South's breach notice, which was filed months later and covers 46,666 individuals, is substantially larger than the 20,577 affected in the 2024 incident, suggesting the November attack had a considerably wider reach. Heart South did not disclose details of its initial access vector or how its systems were secured at the time of the incident.

What was said

Heart South stated in its breach notice: "On or about November 11, 2025, Heart South learned that an unauthorized party claimed to possess Heart South data. The investigation did not find evidence of unauthorized network access or data theft, but we discovered that the bad actor recently posted a limited amount of Heart South data on the dark web." The organization has not publicly commented on whether the ransom was paid.

In the know

Rhysida has established a sustained pattern of targeting healthcare providers since it first surfaced in May 2023. According to BleepingComputer, the FBI and CISA jointly warned of Rhysida's opportunistic attacks across multiple sectors, with healthcare among its most frequently targeted industries. Comparitech's own tracking found that of Rhysida's 108 confirmed attacks, 25 struck healthcare providers, affecting nearly 4 million people. Its ransom demands against hospitals average around $1.1 million. Other recent Rhysida claims against healthcare organizations include a $3.1 million demand from MedStar Health following a September 2025 breach, and a $1.65 million demand from Spindletop Center in Texas after a breach the same month affecting 88,863 people.

The big picture

Heart South's situation, a small specialty practice sustaining two breaches within 18 months, is consistent with what Paubox has documented among smaller healthcare organizations. According to Paubox's What Small Healthcare Practices Get Wrong About HIPAA and Email Security report, healthcare breaches in 2025 took an average of 224 days to detect and another 84 days to contain, a combined timeline of more than ten months. One in five small healthcare organizations has no email archiving or audit trail in place, leaving them unable to fully investigate incidents after they occur. For a three-clinic cardiovascular practice, that structural gap means a second incident can follow the first before the remediation from the original breach has taken full effect. Comparitech logged 132 confirmed ransomware attacks on US healthcare providers in 2025, with breached providers notifying 11.3 million people about resulting data breaches.

FAQs

Why does Heart South's investigation finding "no evidence of unauthorized access" not resolve the breach concern?

Ransomware groups using double extortion can exfiltrate data through methods that leave incomplete or difficult-to-trace forensic evidence, particularly if logs were deleted or monitoring gaps existed. The posting of verified sample data on a dark web leak site constitutes evidence of exposure regardless of whether internal investigation logs confirm the access method.

What does Rhysida's ransomware-as-a-service model mean for potential victims?

Under a ransomware-as-a-service model, Rhysida provides its attack infrastructure and malware to affiliates who conduct the actual intrusions, with ransom proceeds split between the affiliate and the group. Any affiliate can target any organization they choose, meaning the original group does not need to select victims directly, which contributes to the opportunistic and wide-ranging nature of Rhysida attacks.

What is the significance of a second breach occurring at the same organization within 18 months?

A repeat breach at the same organization suggests that the remediation steps taken after the first incident were insufficient to close the vulnerabilities that made the organization a target. It can also indicate that the organization remained on threat actor lists from the first incident, making it a known and presumably accessible target.

How can small cardiovascular practices reduce their exposure to ransomware groups like Rhysida?

Practices should implement multi-factor authentication across all remote access points, maintain offline or immutable backups, conduct regular risk assessments, monitor network activity for anomalous behavior, and develop tested incident response plans that include manual fallback procedures for patient care continuity.

What should patients do if they were notified of exposure in the Heart South breach?

Patients should enroll in the complimentary credit monitoring through Kroll within the timeframe specified in their notification, monitor their health insurance statements for unfamiliar services, and place fraud alerts with the major credit bureaus. Any suspicious activity referencing their medical history or personal identifiers should be reported promptly.