Heart South Cardiovascular Group yesterday confirmed it notified 46,666 people of a November 2025 data breach that compromised their personal info. This was the central Alabama hospital’s second data breach in as many years.
Heart South did not disclose what types of data were compromised, but a cybercriminal group called Rhysida took credit for the breach on November 10, 2025.
On its data leak site, Rhysida said it stole data from Heart South and demanded six bitcoin in ransom, worth about $630,000 at the time. To prove its claim, Rhysida posted sample images of what it says are documents stolen from Heart South. The images include ID scans and medical records, among other info.
Heart South has not acknowledged Rhysida’s claim and Comparitech cannot independently verify it. We do not know how attackers breached Heart South or if the hospital paid a ransom. Comparitech contacted Heart South for comment and will update this article if it replies.
“On or about November 11, 2025, Heart South learned that an unauthorized party claimed to possess Heart South data,” says the hospital’s notice to breach victims.
“The investigation did not find evidence of unauthorized network access or data theft, but we discovered that the bad actor recently posted a limited amount of Heart South data on the dark web.”
Heart South is offering breach victims free credit monitoring and identity theft restoration through Kroll.
The November 2025 breach was Heart South’s second data breach on record. After a cyber attack in May 2024, the hospital notified 20,577 people that their personal info had been compromised. No ransomware groups took credit for the attack.
Who is Rhysida?
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida has claimed responsibility for 265 ransomware attacks, of which 108 were confirmed by the organizations it targeted.
Of those 108 confirmed attacks, 25 hit healthcare providers, which in turn notified nearly 4 million people. Rhysida’s average ransom against a hospital is about $1.1 million.
Some of Rhysida’s other such ransom demands include:
- $3.1 million from MedStar Health (MD) for a September 2025 data breach
- $1.65 million from Spindletop Center (TX), which notified 88,863 people of a September 2025 data breach
- $660,000 from MACT Health Board (CA) for a November 2025 data breach
None of the organizations above disclosed whether or not they paid a ransom.
Ransomware attacks on US healthcare
Comparitech researchers logged 132 confirmed ransomware attacks on US hospitals, clinics, and other healthcare providers in 2025. The hacked providers notified 11.3 million people about the resulting data breaches.
Other recent data breaches resulting from ransomware attacks on healthcare providers include:
- Westminster Village Greenwood notified 14,386 people about a February 2025 data breach claimed by Inc Ransomware
- MedPeds Associates of Sarasota notified 21,430 people of a September 2025 data breach claimed by Beast
- Austin Plastic & Reconstructive Surgery notified 4,014 Texas residents of a June 2025 data breach claimed by ThreeAM
- Rocky Mountain Care reported a January 2025 data breach claimed by Qilin
- Southern Illinois Dermatology reported a November 2025 data breach claimed by Insomnia
In 2026 to date, we’ve tracked six confirmed attacks and 73 unconfirmed. Confirmed attacks are those that have been publicly acknowledged by the hacked organization.
Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About Heart South Cardiovascular Group
Heart South Cardiovascular Group and the Heart South Vascular Institute consist of three clinics in the central Alabama towns of Clanton, Shelby, and Bibb. It diagnoses and treats heart and vascular conditions.
