Cookeville Regional hit with ransomware attack impacting over 300k

The Tennessee-based health center is notifying patients about a 2025 ransomware attack.

What happened

Cookeville Regional Medical Center (CRMC) recently confirmed that they were the victims of a ransomware attack in 2025. According to their report to the Maine Attorney General, the attack resulted in the exposure of protected health information for 337,917 individuals. CRMC promptly announced that an incident had taken place, but details regarding the full scope of the ransomware incident have only recently been released.

The incident has been claimed by the Rhysida ransomware group. The group has since posted the data online.

Going deeper

According to CRMC’s online notice, their computer network was accessed between July 11th, 2025, and July 14th, 2025. The incident was reported to the Department of Health and Human Services (HHS) in August, 2025, but without information on the number of impacted individuals.

On March 16th, 2026, CRMC updated the information to reveal the full victim count. Information accessed in the breach included addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, medical treatment information, medical record numbers, and/or health insurance policy information.

In the know

The breach was claimed by a ransomware-as-a-service (RaaS) group known as Rhysida, which is believed to have ties to Russia. RaaS groups both conduct their own ransomware attacks and sell ransomware software to smaller, or less technologically-savvy individuals or groups, allowing more people to commit ransomware attacks.

According to Infosecurity Magazine, Rhysida claimed responsibility for the attack on August 2nd, 2025. The group demanded 10 Bitcoins, estimated to be worth approximately $1.15 million, and posted samples online as proof of the breach. According to Security Week, Rhysida claimed to have not found a buyer for the data and instead made it freely available for download. It’s estimated that approximately 500GB were released on the internet.

The big picture

Rhysda has recently become a prominent threat actor. Infosecurity studied their attacks and determined that the malicious group carried out 91 attacks in 2025 alone, demanding, on average, $1.2 million. Attacks have generally been against other healthcare organizations, like MedStar Health, which led to 7 million pieces of PHI being accessed. As a result of that breach, MedStar is currently in the midst of resolving a class action lawsuit.

According to Paubox reports, ransomware attacks by groups including Rhysida have grown massively, increasing approximately 264% since 2018. These attacks can be devastating to organizations, resulting in operational delays and delays in patient care. While CRMC did not face these consequences, every attack has the possibility of being extremely costly or dangerous for patients.

FAQs

Why do ransomware groups demand money in Bitcoin?

Ransomware groups generally demand money through Bitcoin because it’s more difficult to trace and is easier to use across currencies. Furthermore, Bitcoin allows large amounts of money to be transferred quickly, while traditional banks usually require additional time or steps.

Will CRMC also face a class action lawsuit?

It’s certainly possible that CRMC will face a class action lawsuit, as several firms are already trying to connect with victims. At this time, no lawsuit has moved towards a settlement or any other meaningful court action.

Is it ever worth it for an organization to pay a ransom?

Generally, it’s not advised to pay a threat actor, although law enforcement may, under certain circumstances, advise differently. Paying a ransom does not necessarily mean the data will be deleted, and thus, it may not prevent a lawsuit or other fines. Paying a ransom could potentially lead to the victimized organization ultimately paying more money and could even result in legal troubles.