Ransomware Gang Members Claim a Big-Scale Attack on Kettering Health

In another proof that healthcare institutions face more cyber threats, the group Interlock has declared its involvement in a significant attack on Kettering Health, a leading healthcare network based in Ohio. When the breach was disclosed on May 20, 2025, Kettering Health had to deal with system failures, problems in providing care to patients and data leakage comprising 941 gigabytes. While healthcare providers try to recover from the attack, it reveals key weaknesses in their cybersecurity and leads to new issues about the safety of patient information and future stability.

Recent Cyberattack at Kettering Health is causing major problems 

Kettering Health, a not-for-profit group with 14 hospitals, over 120 outpatient facilities and 15,000 staff members (including 1,800 physicians), helps millions of patients a year in western Ohio. As a result of the ransomware attack, the majority of the hospital’s computers stopped functioning, which seriously affected how patients were treated. Clinics and emergency rooms kept operating, yet surgical procedures for things such as chemotherapy and MRIs were not done, so people returned to using paper charts. After the attack, both call centers and patient care systems were down, which meant patients could not view their EHR and care teams found it tougher to communicate. Kettering Health acknowledged the “technology outage” and assured everyone that emergency services were available as efforts to fix the problem were taking place.

Kettering Health suffered a data breach loss late last month, and earlier this week, a formerly undisclosed ransomware group, Interlock, publicly accepted responsibility. Using their dark website, the gang explained that they had acquired 941 GB of information with more than 20,418 folders and 732,490 files. Reports say that the data includes a broad variety of sensitive details.

This involves the collection of patient names, numbers and complete clinical summaries that give details on the mental state, medication taken and any health issues.

• Employee information and the files are located in shared drives.
• The company’s records for financial reports, payroll information and the document with its tax ID.
• Kettering Health Police Department personnel files, which contain both background checks and polygraph tests.
• Copies or scans of identification papers such as passports and driver’s licenses from Ohio and other places.

The group made public some examples of stolen files, which included money reports and insurance papers, proving how much data was taken. A medical records leak endangers the privacy of patients and also makes internal procedures and security points vulnerable to additional danger.

Negotiations did not work out, as the victim didn’t pay the ransom

At first, there were reports that Interlock did not take responsibility for the attack and feared pressuring Kettering Health into giving a ransom. Even so, giving this information early points to the fact that the group expects negotiations to be over. John Weimer, the senior vice president of emergency operations at Kettering Health, assured that the organization did not give in and pay whatever was demanded. The healthcare provider has refused to give more information when approached by reporters. Refusing to pay the ransom has become more popular because experts and law enforcement agencies say that paying a ransom may result in more attacks and may not help with securing your data.

What Was Done and Difficulties in the Process

Although the attack was very severe, the hospital has managed to bring back some important services. As announced on June 2, the hospital network has fixed the core parts of its Epic electronic record system, so now doctors have better access to patient records and improved tools for organizing treatment and contacting other doctors. At the same time, functions like MyChart and the call center are either closed or work in a limited way, causing difficulties for patients and keeping things off-track at the hospital. To handle communication issues, Kettering Health has put in place temporary phone lines that have nurses answering urgent problems. At this point, the timeline for restoration is unclear since the main concern is making the IT systems secure and fully functioning before services can return to normal.

Increasing Damage of Interlock on Health and Other Industries

Since it began in late 2024, Interlock has proven itself to be a real danger by attacking both healthcare and other sectors in the US Members of the group admit to taking part in many significant hacks, including the recent infiltration of DaVita, which hosts Fortune 500 kidney care centers, stealing more than 1.5 terabytes of crucial information. It is said that Interlock uses the tool NodeSnake in remote attacks and also copies the look of some IT tools to access networks.

The recent incident at Kettering Health is another instance of a bigger problem for healthcare organizations. Notably, in 2024, the healthcare sector in the US was hit by Breach records such as Change Healthcare’s incidents that impacted 190 million people and another case at Ascension that revealed over 5.6 million patient records. They disturb medical care, compromise the protection of patients’ data and overload a system that is already overloaded by other difficulties.

In an examination of the effects and what will follow as a result of the Kettering Health ransomware attack, several vital problems have become clear. The pause on regular procedures and using papers increases the likelihood of mistakes in care and delayed treatment for patients. The disturbance caused difficulties for cancer patients as they had to rely on emergency care only. When personal health records and employee details are exposed, it creates big concerns about following HIPAA rules. ID and financial papers that become accessible to others make people more at risk for identity theft and fraud. It was hard for healthcare systems to properly and quickly recover their IT systems after suffering from serious cyber assaults. Reliance on Epic and similar products brings more challenges to the recovery task. The success of the test proves that Kettering Health’s cybersecurity is weak, as seen in its exposure to phishing, attacks on remote resources and inadequate security patches.

What’s Next?

It is important for healthcare organizations to quickly improve their cybersecurity processes by investing in spotting threats, responding to events and training workers. Partnerships with government and private cyber firms will help stop the progress of new ransomware threats.

Besides fixing the technology, Kettering Health needs to work on the trust of patients and prove they will be better protected in the coming times. Telling people how much information was affected and what actions are being taken will help keep them confident. The Interlock ransomware gang’s announcement that it was behind the Kettering Health cyberattack indicates a big jump in healthcare cybercrime. When a terabyte was stolen, and medical care stopped for many Ohioans, the event taught us about the risks facing healthcare systems. Now, the entire healthcare sector should use Kettering Health’s example to improve protection against ransomware.