Two San Antonio healthcare providers are now fielding plaintiff lawyers and dark-web extortion threats in the same week. As of late June 2026, both South Texas Spinal Clinic and Soniva Dental have been named on the leak site of the ransomware operation that calls itself The Gentlemen, and both are already the subject of proposed class-action investigations on behalf of patients whose protected health information may have been stolen. Neither attack has been fully confirmed by the providers themselves, which is exactly the uncomfortable posture that defines modern healthcare ransomware: the criminals make the announcement, the lawyers respond, and the victim organization is left to verify a breach it has not yet finished investigating.

This is not a new actor for readers of breached.company. The Gentlemen is an established ransomware-as-a-service and extortion operation we have tracked through both a backend-infrastructure leak analyzed by Check Point and a Krebs-on-Security attribution tying the operation to an individual using the handle Yapaev. What is new is the increasingly familiar pattern of small and mid-size healthcare providers being treated as soft, high-value targets, and the speed with which US class-action machinery now spins up around a claim that has not even been confirmed.

What The Gentlemen Are Claiming

According to dark-web monitoring trackers, The Gentlemen posted Soniva Dental to its leak site on or around June 4, 2026, claiming responsibility for a cyberattack against the Texas-based dental group, which operates across roughly 13 branches. The group threatened to release sensitive data unless the clinic opened negotiations. A few weeks later, around June 15, 2026, South Texas Spinal Clinic appeared on the same leak infrastructure. South Texas Spinal Clinic operates 11 locations across San Antonio and South Texas, making it precisely the kind of multi-site, mid-market provider that The Gentlemen have favored.

It is worth being precise here about what is established versus what is asserted. The Gentlemen claim to have breached both organizations and to hold sensitive data. That claim, by itself, is not proof. Ransomware crews routinely inflate the scope of what they have taken, recycle old data, or list victims they only partially compromised in order to pressure payment. As of the reporting around June 26, 2026, neither provider had publicly confirmed the group’s claims or filed a formal breach notification quantifying what, if anything, was exposed. Treat the leak-site listing as an allegation backed by a financially motivated party, not as a settled fact.

That said, the allegation is credible on its face because it fits the actor’s profile. The Gentlemen run a double-extortion model: affiliates break in, exfiltrate data, encrypt systems, and then threaten public release if the ransom goes unpaid. The leak site is the pressure mechanism, not an afterthought. When a healthcare provider shows up there, the realistic assumption is that some volume of data has already left the building.

Why Healthcare Keeps Getting Hit

The Gentlemen have scaled with alarming speed. The operation grew from roughly 30 claimed victims in autumn 2025 to well over 320 publicly listed victims by April 2026, claiming more than 320 organizations in the first months of the year and accounting for an outsized share of all global ransomware claims during that period. Microsoft Threat Intelligence tracks the operators as Storm-2697, a RaaS platform whose affiliates carry out the intrusions while the core team maintains tooling, including a self-propagating Go-based encryptor capable of hitting Windows, Linux, ESXi, and NAS targets. In Q1 2026, the group ranked among the most active in confirmed healthcare incidents, trailing only crews like Qilin and Akira.

The reason healthcare remains a preferred hunting ground is structural, not accidental. Multi-site clinics like a regional spinal practice or a dental group run sprawling IT footprints with legacy systems, flat networks, and lean security teams. They hold extraordinarily sensitive data: diagnoses, imaging, insurance details, Social Security numbers, and full demographic profiles. And they operate under intense pressure to restore patient-facing operations quickly, which historically has made them more willing to negotiate. For an extortion operation promising affiliates a generous cut, that combination of weak defenses, valuable data, and operational urgency is close to ideal.

The result is that providers that would never describe themselves as high-profile cyber targets nonetheless end up on a leak site beside hospital systems and logistics giants. South Texas Spinal Clinic and Soniva Dental are not outliers in The Gentlemen’s victim list. They are the median.

The Class Action Arrives Before the Breach Notice

The most striking feature of these incidents is how quickly the litigation followed the criminals. Plaintiff firms are already publicly probing The Gentlemen’s claims against both providers and inviting affected patients to join proposed class actions, even though the providers have not finished confirming the scope of either breach. This is now standard practice in the United States: a leak-site listing functions as a marketing signal to the data-breach plaintiff bar, which moves to organize a class before the official Notice of Data Breach letters ever reach mailboxes.

For the providers, this creates a brutal two-front problem. On one side sits the extortion crew, demanding payment and threatening to dump patient records. On the other sits the prospect of consolidated litigation alleging negligence, inadequate safeguards, and failure to protect PHI under state law and, where applicable, the duties that flow from HIPAA’s security expectations. The legal exposure does not wait for the forensic investigation to conclude. In practice, the lawsuits frequently precede any concrete public accounting of what was taken.

That asymmetry rewards The Gentlemen twice over. The mere act of naming a healthcare victim publicly increases the pressure to pay, not only because of the reputational hit but because the victim now anticipates the downstream cost of litigation regardless of whether it pays the ransom. Extortion and class action have become, in effect, a coordinated squeeze that the attacker triggers and the legal system finishes.

What These Providers and Their Peers Should Do Now

For South Texas Spinal Clinic, Soniva Dental, and the many mid-market providers watching this unfold, the practical priorities are clear. Confirm scope through proper forensics before making public claims in either direction, because both overstating and understating exposure carry legal consequences. Preserve evidence and engage breach counsel early, given that litigation is now effectively automatic. Notify affected individuals promptly and accurately once scope is established, since notification timing is itself a frequent basis for claims. And revisit the basics that The Gentlemen exploit: network segmentation, offline and tested backups, multifactor authentication on remote access, and monitoring tuned to the rapid exfiltration that precedes encryption.

The harder lesson is strategic. A regional clinic group cannot assume obscurity is protection. The Gentlemen and operations like them industrialized victim selection long ago, and a leak-site listing followed by a class-action probe is now a predictable sequence rather than a worst case. The providers that fare best are the ones that assumed they were already on the target list and prepared accordingly, well before their name appeared in a dark-web post.

What remains unverified here is real, and we will update as South Texas Spinal Clinic and Soniva Dental confirm details. What is no longer uncertain is the playbook: claim, pressure, sue, repeat. San Antonio is just this week’s example.

Sources