Duplicate » admin by request

Kettering Health Data Leaked After Interlock Ransomware Attack

  • Tags
Admin By Request blog post on Kettering Health ransomware attack and breach

The Kettering Health ransomware attack that began on May 20, 2025, shows how cybersecurity failures can disrupt patient care across an entire healthcare network. As Ohio’s Kettering Health works to recover from an attack by the Interlock ransomware gang, the incident highlights the operational challenges healthcare organizations face when critical systems go offline.

What Happened at Kettering Health

Kettering Health operates 14 medical centers and over 120 outpatient facilities across western Ohio, serving approximately 1.5 million patients annually with more than 15,000 employees. The nonprofit organization disclosed a cyberattack on May 20 that triggered an outage affecting its call center and some patient care systems, leaving staff without access to computerized charting systems and forcing care teams back to pen and paper.

The attack forced immediate operational changes. Elective inpatient and outpatient procedures at Kettering Health facilities were canceled on May 20, with procedures being rescheduled for later dates. Patient reports on social media indicated widespread disruptions: difficulties getting medication refills, inability to contact doctors’ offices, and some emergency rooms operating at reduced capacity.

Patients described the situation as reverting to manual processes. “Everything is being done by hand — pen and paper,” one patient said.

» admin by request

The Interlock Ransomware Gang

Interlock is a newer ransomware operation that surfaced in September 2024 and has claimed responsibility for dozens of victims worldwide, many of them from healthcare organizations. The group follows a double-extortion model, encrypting systems while simultaneously stealing data to use as additional leverage.

“Your network was compromised, and we have secured your most vital files,” the ransom note says. The note threatens to leak data allegedly stolen from Kettering Health online unless the health network begins negotiating an extortion fee.

Interlock has targeted multiple healthcare organizations recently, including DaVita, a major kidney care provider.

Data Breach Follows Ransom Refusal

Kettering Health appears to have declined to pay the ransom demand. On June 5, 2025, approximately two weeks after the initial attack, the Interlock ransomware operation claimed responsibility for the attack this week and published samples of allegedly stolen data.

Interlock boasted about stealing 941 GB of data from the organization, including ID cards, financial reports, payment data, and more. In total, 732,490 files across 20,418 folders were exfiltrated, the ransomware group claims.

The leaked samples include financial reports, budget documents, corporate insurance information, and identity documents.

Recovery Progress and Ongoing Challenges

Kettering Health has made steady progress restoring systems. On June 3, Kettering Health successfully launched the core components of its Epic electronic health record (EHR) system, with clinical staff beginning to use it at 7 a.m. This marked a major milestone in the organization’s broader restoration efforts.

However, full recovery remains ongoing. Progress continues in bringing back online in- and outbound calling to Kettering Health facilities and practices, as well as MyChart for patients. The organization has established temporary phone lines for urgent clinical questions while working to restore normal communications.

Some operational disruptions continue weeks after the initial incident, with patients still experiencing difficulties accessing normal services.

» admin by request

Healthcare Under Persistent Threat

The Kettering Health incident reflects broader challenges facing healthcare cybersecurity. The US health care sector has for years been battered by cybercriminals that see hospitals as desperate to pay them off to try to keep patient care from being disrupted. The health sector reported more than 440 ransomware attacks and data breaches to the FBI last year, the highest tally of all critical infrastructure sectors.

Recent major healthcare breaches include the Change Healthcare attack, which affected 190 million people, and the Ascension breach that compromised 5.6 million patient records. These incidents demonstrate that healthcare organizations of all sizes face serious cybersecurity risks.

Why Healthcare Organizations Are Vulnerable

Healthcare cybersecurity faces unique challenges that make organizations attractive targets for ransomware groups:

  • Complex IT Infrastructure: Healthcare networks often include legacy systems, medical devices, and administrative platforms that can be difficult to secure comprehensively.
  • Operational Requirements: Healthcare organizations need 24/7 system availability, which can complicate security patching and maintenance schedules.
  • Privileged Access Needs: Medical and administrative staff require access to sensitive systems, creating potential attack vectors if access controls aren’t properly managed.
  • Resource Constraints: Many healthcare organizations operate with limited IT security budgets, potentially leaving gaps in their defense strategies.

The Role of Privilege Management in Healthcare Security

The Kettering Health attack illustrates why healthcare organizations need robust internal security controls. Even when attackers breach perimeter defenses, proper privilege management can limit their ability to move laterally through networks and access critical systems.

Privileged Access Management (PAM) solutions could address these challenges by removing permanent administrative rights and implementing just-in-time privilege elevation. This approach helps contain potential breaches by ensuring that compromised accounts can’t automatically access sensitive systems or escalate privileges across the network.

For healthcare organizations, this means:

  • Limiting attacker movement even after initial compromise
  • Maintaining detailed audit trails of all privileged activities
  • Ensuring staff can still perform necessary tasks through approved elevation processes
  • Reducing the attack surface that ransomware groups can exploit

Looking Forward

As Kettering Health continues working toward full system restoration, the incident serves as a reminder that healthcare cybersecurity requires ongoing attention and investment. Organizations need comprehensive security strategies that protect both patient data and operational continuity.

The attack also highlights the importance of incident response planning. Healthcare organizations should prepare for scenarios where critical systems may be unavailable for extended periods, including backup communication methods and manual operational procedures.

Ultimately, healthcare cybersecurity isn’t just about protecting data (though that’s important). It’s about ensuring that organizations can continue providing patient care even when facing sophisticated cyber threats.

About the Author:

Picture of Pocholo Legaspi

Pocholo Legaspi

Pocholo Legaspi is a seasoned content marketer and SEO specialist with over nine years of experience crafting digital content that drives engagement and growth. With a background in tech and a Master’s in Business Informatics, he brings a data-driven approach to content strategy and storytelling.

Share this blog to your channels:

Get the Free Plan

All core features, unlimited term, no strings attached.

Sign Up

Product

Resources

Company

Support

Linkedin Facebook Twitter Reddit Instagram Youtube

© 2024 ADMIN BY REQUEST

Data Processing | Terms & Conditions | Privacy Policy

Get the Admin By Request Free Plan

Fill out the form with your work email and we’ll send your credentials to your inbox.

Book a Demo

Orange admin by request circle tick logo. » admin by request