Spindletop Center Data Breach 2025 (Rhysida Ransomware): 88,863 Southeast Texas Behavioral-Health, IDD, and SUD Patients Exposed. SSNs, Government IDs, Diagnoses, and Case Numbers Stolen. What To Do
Spindletop Center, the local mental health authority for Southeast Texas (Beaumont / Orange / Silsbee / Port Arthur), filed a HIPAA breach with HHS OCR on November 28, 2025 reporting 88,863 affected individuals. The Rhysida ransomware group claimed the intrusion and listed the center on its dark-web leak site, demanding 15 BTC. Exposed data spans Social Security numbers, driver's license / government IDs, dates of birth, addresses, diagnosis information, and case numbers — categories of particular sensitivity for a center providing behavioral health, intellectual / developmental disability, and substance-use disorder treatment subject to 42 CFR Part 2.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 23, 2025
Earliest unauthorized access to Spindletop systems identified by post-incident forensic review
Sep 29, 2025
Systems and servers rendered inoperable; Spindletop detects the attack and engages outside cybersecurity counsel
Oct 30, 2025
Rhysida lists Spindletop on its Tor leak site, claiming 100,000+ records and demanding 15 BTC (~$1.65M)
Nov 28, 2025
Spindletop files HIPAA breach notification with HHS OCR at 88,863 affected
Dec 3, 2025
Internal data review concludes; affected-individual list finalized for substitute-notice mailing
Sep 23, 2025
Earliest unauthorized access to Spindletop systems identified by post-incident forensic review
Sep 29, 2025
Systems and servers rendered inoperable; Spindletop detects the attack and engages outside cybersecurity counsel
Oct 30, 2025
Rhysida lists Spindletop on its Tor leak site, claiming 100,000+ records and demanding 15 BTC (~$1.65M)
Nov 28, 2025
Spindletop files HIPAA breach notification with HHS OCR at 88,863 affected
Dec 3, 2025
Internal data review concludes; affected-individual list finalized for substitute-notice mailing
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Spindletop Center, the designated Local Mental Health Authority for Southeast Texas (Hardin, Jefferson, and Orange counties), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 28, 2025, reporting 88,863 affected individuals following a Rhysida ransomware intrusion that began on September 23, 2025 and surfaced operationally on September 29, 2025.
Spindletop is a public, non-profit community center headquartered in Beaumont with additional locations in Orange, Silsbee, and Port Arthur. It serves more than 16,000 people per year across mental-health, intellectual and developmental disability (IDD), substance-use disorder (SUD) treatment, and early-childhood-intervention service lines. The sensitivity of those populations, not the raw record count, is what makes this incident materially different from a typical hospital ransomware event.
Timeline
- September 23, 2025. Earliest unauthorized access to Spindletop systems, as later determined by post-incident forensic review.
- September 29, 2025. Systems and servers become inoperable. Spindletop detects the attack, takes systems offline, and engages outside cybersecurity counsel.
- October 30, 2025. Rhysida lists Spindletop on its Tor leak site, claims exfiltration of 100,000+ records, publishes sample documents as proof, and demands 15 BTC (approximately $1.65M at the time of listing).
- November 28, 2025. Spindletop files the HIPAA breach with HHS OCR at the final figure of 88,863 affected.
- December 3, 2025. Internal data review concludes and the affected-individual list is finalized for substitute-notice mailing.
What was exposed
Based on Spindletop’s notice content as summarized by Comparitech and ClaimDepot, the verified exposed-data inventory includes:
- First and last name
- Date of birth
- Address
- Social Security number
- Driver’s license or government-issued ID number
- Diagnosis information
- Case number
- Other medical information
- Financial information
Rhysida’s leak-site posting separately claimed the trove included passport numbers, phone numbers, and clinical histories. Spindletop has not publicly confirmed that broader characterization; the inventory above is the verified set from Spindletop’s own notice.
A separate data-leak tracking service (databreach.com) indexed 217,644 rows from the Rhysida posting as of October 30, 2025. That figure is substantially higher than the 88,863 confirmed by HHS OCR. The discrepancy is consistent with Rhysida’s standard approach of exfiltrating broader file dumps that include duplicates, administrative records, and employee data alongside patient records. The 88,863 figure from HHS OCR is the authoritative HIPAA-scope count of individuals whose PHI was within the breach. The larger row count suggests the published data set was not confined to patient clinical records.
Public reporting to date does not indicate that Spindletop offered complimentary credit monitoring or identity-theft protection. The substitute notice instead directs individuals to monitor their own credit reports, place fraud alerts or security freezes, and watch for phishing. A dedicated inquiry line was set up for affected individuals.
State AG filings. Spindletop filed breach notifications with at least 14 state attorneys general, including California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, consistent with multi-state notification obligations for an entity whose records span residents outside Texas.
Sensitive-population considerations: mental health and SUD records (42 CFR Part 2)
Spindletop is not a general acute-care hospital. It is the designated Local Mental Health Authority providing behavioral health, IDD, and substance-use disorder treatment. That changes the regulatory and personal-risk profile of the affected records in two specific ways.
- 42 CFR Part 2 records. Federally assisted SUD treatment programs are subject to 42 CFR Part 2, which imposes confidentiality protections on patient records that exceed the HIPAA baseline and that apply specifically to records identifying a person as having received SUD treatment. Following the 2024 HHS Final Rule aligning Part 2 with the HIPAA Breach Notification Rule, Part 2 program breaches are subject to the same notification cadence, but the underlying records remain a uniquely sensitive category for re-identification risk and for downstream harms in employment, child custody, housing, professional licensing, and insurance. Public reporting on this incident has not disclosed what share of the 88,863 records derive from SUD-treatment encounters versus the center’s other service lines, but any nonzero share carries Part 2 implications.
- Diagnosis-level mental-health detail. The exposed inventory expressly includes diagnosis information and case numbers. Paired with name and date of birth, those fields can re-identify a behavioral-health patient. For a center whose caseload includes serious mental illness, IDD, and early-childhood-intervention referrals (including minor children), the combination of identity and diagnosis is the harm vector, not the SSN alone. A credit freeze does not solve diagnosis exposure.
If you or a family member received SUD treatment from Spindletop, the standard “freeze your credit” guidance is necessary but not sufficient.
Class-action posture
Two plaintiff firms have publicly confirmed investigations: Shamis & Gentile P.A. and Federman & Sherwood (investigation announced February 12, 2026). Both are examining whether Spindletop maintained reasonable data-security practices and whether affected individuals have viable legal claims. As of this update no docketed federal complaint in the Eastern District of Texas (the venue covering Beaumont) has surfaced in the public court-records aggregators reviewed for this entry. Filings in ransomware breaches of this scale typically begin within 30 to 90 days of substitute-notice mailing, so the absence of a complaint as of this update is consistent with the timing rather than dispositive.
We will update this section as complaints are filed.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft given full SSN and government-ID exposure.
- Read your individual notice letter carefully. Spindletop’s letter lists the specific data elements that applied to your record. Treat that list as authoritative for your case.
- File IRS Form 14039 if you have any indication of tax-related identity theft.
- Be alert for targeted phishing. Diagnosis and case-number exposure means phishing against Spindletop patients can reference details that feel legitimate. Treat any caller, texter, or emailer claiming to be from Spindletop, Rhysida, or a “data recovery” service as hostile by default.
- If your record included SUD treatment, ask Spindletop in writing what 42 CFR Part 2 records, if any, were within scope. The 2024 Part 2 Final Rule does not give Spindletop a basis to refuse that question.
- Stop the ongoing flow of your behavioral-health data. HealthConsent files Part 2 redisclosure restrictions, HIPAA restriction requests, and state-law deletion requests so the mental-health and substance-use treatment data exposed in this breach is not continuously re-shared by downstream entities.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- Comparitech: Texas behavioral health center warns patients of data breach — independent trade reporting on the incident, exposed-data inventory, and Rhysida attribution.
- ClaimDepot: Spindletop Center Data Breach Exposes PII of 88,863 Individuals — secondary aggregation of the notice content, confirmed affected count, and state AG filing list.
- ClaimDepot: Spindletop Center Data Breach Lawsuit Investigation — plaintiff-firm investigation tracker (Shamis & Gentile P.A.).
- RedPacket Security: Rhysida ransomware victim — Spindletop Center — leak-site listing record.
- Spindletop Center — official site — entity background, service-line scope, and Local Mental Health Authority designation.
- Federman & Sherwood: Spindletop Center Data Breach Investigation — second plaintiff-firm investigation announced February 12, 2026.
- DeXpose: Rhysida Ransomware Hits Spindletop Center — threat-intelligence analysis of the October 30, 2025 Rhysida leak-site posting, including Rhysida’s claimed data categories.
- Breachsense: Spindletop Center Data Breach — independent dark-web monitoring record confirming Rhysida attribution and discovery date.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Comparitech: Texas behavioral health center warns patients of data breach that leaked SSNs, medical info
- ClaimDepot: Spindletop Center Data Breach Exposes PII of 88,863 Individuals
- ClaimDepot: Spindletop Center Data Breach Lawsuit Investigation (Shamis & Gentile)
- RedPacket Security: Rhysida ransomware victim — Spindletop Center
- Spindletop Center — official site
- Federman & Sherwood: Spindletop Center Data Breach Investigation
- DeXpose: Rhysida Ransomware Hits Spindletop Center
- Breachsense: Spindletop Center Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.