Two U.S. healthcare organizations were posted to dark web leak sites on the same day by two separate ransomware groups — TheGentlemen claiming Michigan Surgical Center and Genesis claiming Family Medical Associates of Raleigh, North Carolina — exposing sensitive patient health information to double-extortion pressure from parallel criminal campaigns.
TheGentlemen’s Second U.S. Healthcare Victim in Three Days
TheGentlemen ransomware posted Michigan Surgical Center — a U.S. ambulatory surgical center — to its leak site on June 3, 2026. The posting marks the group’s second U.S. healthcare victim in three days and follows a recent pattern of healthcare-sector targeting that has accelerated alongside the group’s overall victim velocity. TheGentlemen is documented as the second-most active ransomware group in 2026 by victim count, with more than 330 victims claimed across five months of operation.
Ambulatory surgical centers hold a concentrated category of patient data: pre-operative assessments, surgical records, anesthesia documentation, post-operative notes, prescription records, and insurance billing data that includes diagnosis codes and procedure histories. A ransomware compromise of an ambulatory surgical center therefore exposes protected health information spanning the full surgical care episode — not just administrative records.
TheGentlemen’s Accelerating Pattern of U.S. Healthcare and Critical Sector Targeting
The frequency of TheGentlemen’s healthcare postings — reaching two U.S. healthcare victims in three days in early June — reflects the group’s targeting strategy, which spans healthcare, critical infrastructure, and dental services in the same operational period. The group’s pace suggests a Ransomware-as-a-Service operational model in which multiple affiliates run simultaneous campaigns across different target sectors, with healthcare appearing as a consistently prioritized vertical.
Healthcare organizations represent a high-pressure category for ransomware operators: patient safety and operational continuity create urgency for rapid ransom consideration, PHI carries HIPAA notification obligations that add regulatory cost to the breach, and the reputational stakes of a patient data disclosure create leverage beyond the immediate operational disruption.
PHI Categories and HIPAA Breach Notification Obligations for Michigan Surgical Center
The Protected Health Information at risk in a surgical center compromise spans multiple sensitivity levels, including medical histories, prescription records, insurance billing data, and potentially Social Security numbers used for patient identification and billing verification. Under HIPAA’s Breach Notification Rule, covered healthcare entities that experience a breach affecting PHI must notify affected individuals within 60 days of discovery. Breaches affecting 500 or more individuals in a state additionally require notification to the Department of Health and Human Services and prominent local media.
Genesis Ransomware Claims Family Medical Associates of Raleigh
Genesis ransomware simultaneously claimed Family Medical Associates of Raleigh — a primary care group serving patients across central North Carolina — on the same June 3 posting day. Genesis has documented healthcare and financial services targeting, with a prior January 2026 claim against IMA Diligence establishing a pattern of targeting high-value, data-rich organizations.
A primary care group carries a particularly broad PHI footprint: longitudinal patient records, chronic condition management data, referral networks, prescription histories, and the routine health data accumulated across years of patient relationships. The breadth of a primary care PHI dataset differs from a surgical center in scope rather than severity — covering more patients over longer periods.
No data publication has been confirmed for either victim as of the posting date. Both postings initiate the double-extortion window during which the groups may release or sell exfiltrated data if ransom terms are not met. Both Michigan Surgical Center and Family Medical Associates face potential HIPAA breach notification obligations once the scope of any data access is determined through their investigation processes.
