For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On January 31, 2026, Nacogdoches Memorial Hospital discovered that an unauthorized party had compromised their computer network, potentially exposing the personal and medical information of 257,073 patients. The breach notification letters began arriving in mailboxes on March 31, 2026, nearly two months after discovery. For Texas medical practices, the Nacogdoches incident provides a case study in both the evolving ransomware threat and the critical importance of response preparation.
The Nacogdoches breach arrived alongside a wave of ransomware attacks targeting Texas healthcare organizations. Austin Plastic and Reconstructive Surgery disclosed a ransomware incident affecting patients from June-July 2025, only notifying individuals in March 2026. Houston-based Lymphedema Therapy Specialists reported a February 2026 ransomware breach disclosed on the dark web before patient notification. These incidents demonstrate that ransomware is not merely a hospital problem; practices of all sizes face the same threat actors with the same devastating capabilities.
According to the hospital's disclosure, Nacogdoches Memorial Hospital became aware of the data security incident on January 31, 2026, because of a cyberattack in which an unauthorized party compromised the hospital's computer network and information systems. When discovered, the hospital immediately notified law enforcement, initiated its incident response plan, and began an investigation.
The investigation found that the unauthorized party may have had access to patient information including names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, medical account numbers, health plan beneficiary numbers, and possible photograph images. The stolen data represents the comprehensive medical and identity information that ransomware groups now routinely harvest for secondary extortion.
Significantly, the hospital stated they are not aware of the misuse of anyone's information as of the notification date. This qualifier appears in most breach notifications and illustrates a key challenge in ransomware response: organizations often cannot determine precisely what data was accessed or exfiltrated. The investigation revealed unauthorized access, but the full scope of data exposure may remain uncertain.
Sophos research published October 2025 revealed a significant shift in ransomware tactics affecting healthcare. Data encryption in healthcare dropped to its lowest level in five years with only 34% of attacks resulting in data encryption. Conversely, the percentage of healthcare providers hit by extortion-only attacks tripled to 12% of attacks in 2025 from just 4% in 2022.
This shift reflects attackers' recognition that healthcare organizations increasingly refuse to pay encryption ransoms because they have invested in backup and recovery capabilities. Instead, attackers now focus on data theft and threatening publication. The sensitive nature of medical information, particularly from specialty practices like plastic surgery or mental health services, provides significant leverage for extortion even without encrypting systems.
Ransom demands in healthcare dropped dramatically, with the average demand falling 91% to $343,000 in 2025 from $4 million in 2024. However, the percentage of providers paying ransoms also declined to just 36%, down from 61% in 2022. Attackers are adapting by threatening data publication rather than system destruction, and by targeting backup systems to prevent recovery.
The ransomware threat landscape in Texas has unique characteristics that increase risk for medical practices:
Geographic Concentration: Major Texas medical centers create dense targets for ransomware groups. The state's extensive healthcare ecosystem, from major Houston hospital systems to rural critical access hospitals, provides diverse targets with varying security maturity. Attackers can target multiple organizations using similar tactics, refining their approaches based on success.
Vendor Centralization: Many Texas practices rely on the same technology vendors, managed service providers, and cloud platforms. When a vendor is compromised, the impact cascades across dozens or hundreds of practices. The Nacogdoches breach and similar incidents reveal how quickly attackers can move through interconnected healthcare networks.
Regulatory Complexity: Texas practices must navigate both federal HIPAA requirements and state-level HB300 mandates. This complexity can delay incident response as legal teams determine notification obligations under multiple frameworks. The Texas 48-hour notification requirement for breaches affecting 250 or more residents creates additional pressure that organizations without preparation struggle to meet.
Economic Pressure: Many small Texas practices operate on thin margins, limiting their ability to invest in robust backup systems, incident response retainers, and cybersecurity insurance. When ransomware strikes, these resource constraints can force difficult decisions about payment versus recovery.
While Nacogdoches Memorial Hospital attracted headlines due to its size, the Austin Plastic and Reconstructive Surgery ransomware incident illustrates the threat facing smaller specialty practices. The practice discovered unauthorized access to its network between June 30 and July 1, 2025. The breach was attributed to a threat actor known as "3AM," a ransomware group that emerged in 2024 and specifically targets healthcare organizations.
The practice did not confirm the scope of compromised data until February 28, 2026, and did not begin notifying affected individuals until March 11, 2026. That gap between breach occurrence and patient notification, over eight months, raises significant compliance questions under HIPAA's 60-day notification requirement and potentially under Texas state law as well.
The compromised data included full names, home addresses, dates of birth, Social Security numbers, driver's license numbers, passport numbers, financial account information, medical records, treatment information, and health insurance information. This represents the complete identity theft toolkit, providing attackers with everything needed for credit fraud, medical identity theft, and targeted spear-phishing campaigns.
Plastic surgery practices face particular ransomware risk because their records include clinical photographs and detailed personal histories that patients are especially motivated to keep private. Attackers know this and price their extortion demands accordingly. The Austin practice is now subject to class action litigation and faces ongoing reputational damage in addition to response costs.
The Nacogdoches and Austin incidents demonstrate both effective and ineffective response strategies that other Texas practices should study:
Immediate Containment: Nacogdoches Memorial Hospital's immediate notification to law enforcement and initiation of incident response protocols represents best practice. When ransomware is suspected, every minute counts. Systems must be isolated, credentials frozen, and forensic preservation initiated before attackers can expand their foothold or destroy evidence.
Forensic Investigation: Understanding what happened, how it happened, and what was accessed requires professional forensic analysis. The investigation timeline at Nacogdoches extended two months, reflecting the complexity of determining scope in modern ransomware attacks. Practices must have forensic response relationships established before incidents occur.
Notification Compliance: The Austin practice's eight-month notification delay illustrates the compliance risks that follow a breach. HIPAA requires notification to individuals within 60 days of discovery, and Texas requires notification to the Attorney General within 48 hours for large breaches. Missing these deadlines creates separate regulatory liability.
Recovery Capabilities: The Sophos report found that backup use has fallen to 51% of healthcare providers in 2025, down from 72% previously. This decline suggests that practices may be over-relying on cloud services that are themselves vulnerable to ransomware. Immutable backups, air-gapped from production networks, remain the only reliable recovery mechanism.
Every Texas medical practice should assume that ransomware is a when, not if, proposition. Preparation before an incident determines the difference between controlled response and organizational crisis:
We develop incident response plans, conduct tabletop exercises, and implement immutable backup strategies that work under real ransomware pressure. Our preparation services ensure that when ransomware strikes, your practice responds with control rather than chaos. We help you meet the 48-hour Texas notification requirement and the 72-hour recovery mandate.
Call 469-235-4144 or schedule online. We prepare Texas medical practices for ransomware realities.