In May 2025, Kettering Health, a prominent network of hospitals, clinics, and medical centers in Ohio, experienced a significant cybersecurity breach. The ransomware group known as Interlock has publicly claimed responsibility for this attack, asserting that they have exfiltrated over 940 gigabytes of sensitive data from the healthcare provider’s internal systems.
Details of the Cyberattack
The breach, which occurred in mid-May, compelled Kettering Health to shut down all its computer systems as a precautionary measure. This disruption affected various operations, including patient care services and administrative functions. Interlock, a relatively new but increasingly active ransomware group, has been targeting healthcare organizations in the United States since September 2024. Their modus operandi involves infiltrating networks, encrypting critical data, and demanding ransom payments to prevent the release of stolen information.
Nature of the Stolen Data
A preliminary analysis of the data published by Interlock on their dark web site indicates that the stolen information encompasses a wide range of sensitive materials. This includes private health information such as patient names, identification numbers, and detailed clinical summaries authored by physicians. These summaries contain comprehensive data on patients’ mental status, prescribed medications, health concerns, and other critical health metrics. Additionally, the breach has compromised employee records and the contents of shared drives within the organization.
Notably, among the exposed data are documents related to the Kettering Health Police Department. These files include background checks, polygraph results, and other personally identifiable information of law enforcement personnel associated with the healthcare system.
Kettering Health’s Response
In response to the cyberattack, Kettering Health has been working diligently to restore its systems and services. As of early June, the organization announced the successful restoration of core components of its electronic health record system, provided by Epic Systems Corporation. This achievement marks a significant milestone in their broader recovery efforts and is crucial for resuming normal operations.
John Weimer, Senior Vice President of Emergency Operations at Kettering Health, has stated that the organization has not paid any ransom to the attackers. This decision aligns with the broader stance of many institutions that refuse to negotiate with cybercriminals to deter future attacks.
Implications for the Healthcare Sector
The Kettering Health incident underscores the escalating threat of ransomware attacks targeting the healthcare industry. Healthcare organizations are particularly vulnerable due to the critical nature of their services and the sensitive data they handle. The disruption caused by such attacks can have severe consequences, including delayed medical procedures, compromised patient care, and significant financial losses.
This attack is part of a broader trend of increasing cyber threats against healthcare providers. For instance, in April 2025, DaVita Inc., a major U.S. dialysis provider, disclosed that it was the target of a ransomware attack that encrypted parts of its network and disrupted some operations. Despite these issues, the company maintained patient care services and implemented interim measures, including isolating affected systems. DaVita is currently working with external cybersecurity experts and has informed law enforcement. The extent and duration of the disruption remain unknown. The company manages nearly 3,000 outpatient clinics and serves about 200,000 patients annually, including services at 760 hospitals. This incident adds to a growing list of cyberattacks targeting the U.S. healthcare sector, including previous breaches at DaVita’s rival Fresenius Medical Care and UnitedHealth Group’s tech unit, which affected hundreds of thousands to millions of individuals. DaVita has not yet provided detailed information on the scope of the breach or its containment strategies.
The Rise of Interlock
Interlock has rapidly emerged as a formidable threat within the cybersecurity landscape. Since its first known activities in September 2024, the group has focused primarily on healthcare institutions, exploiting vulnerabilities to gain unauthorized access to sensitive data. Their tactics often involve sophisticated phishing campaigns, exploitation of unpatched software vulnerabilities, and the use of advanced malware to infiltrate and encrypt critical systems.
The group’s decision to publicly claim responsibility for the Kettering Health attack suggests that ransom negotiations may have stalled or failed. By releasing portions of the stolen data, Interlock aims to pressure the organization into compliance, a common strategy among ransomware operators.
Preventative Measures and Recommendations
The Kettering Health incident serves as a stark reminder of the importance of robust cybersecurity measures within the healthcare sector. Organizations are urged to implement comprehensive security protocols, including regular system updates, employee training on phishing and social engineering tactics, and the establishment of incident response plans.
Additionally, healthcare providers should consider conducting regular security audits, investing in advanced threat detection systems, and collaborating with cybersecurity experts to identify and mitigate potential vulnerabilities. Engaging in information-sharing initiatives with other healthcare organizations can also enhance collective defense mechanisms against cyber threats.
Conclusion
The ransomware attack on Kettering Health by the Interlock group highlights the growing cybersecurity challenges facing the healthcare industry. As cybercriminals continue to evolve their tactics, it is imperative for healthcare organizations to prioritize and strengthen their cybersecurity frameworks to protect sensitive patient data and ensure the continuity of critical medical services.
