Kettering Health ransomware hit 1.7M, confirmed year after Interlock breach

The HHS Office for Civil Rights breach portal has been updated to show that the May 2025 ransomware attack on the Ohio health system exposed protected health information belonging to nearly 1.7 million individuals, while 44 lawsuits over delayed and denied patient care move through the courts.

What happened

Kettering Health, a 14-hospital health system based in western Ohio, has had the total number of individuals affected by its May 2025 ransomware attack confirmed at 1,695,382 in an update to the HHS Office for Civil Rights breach portal. According to BleepingComputer, the Interlock ransomware group breached Kettering Health's network and stole data before deploying ransomware on May 20, 2025, triggering a system-wide outage across all 14 medical centers and more than 120 outpatient facilities. Kettering Health first reported the breach to HHS on July 21, 2025, using a placeholder estimate of 501 affected individuals while its file review remained ongoing. The protected health information (PHI) confirmed as compromised includes names, Social Security numbers, financial account numbers, driver's license numbers, medical and treatment information, health insurance information, billing and claims information, passport numbers, and usernames and passwords.

Going deeper

Interlock first gained access to Kettering Health's network on April 9, 2025, and retained that access for 41 days before deploying ransomware on May 20. According to Comparitech, Interlock claimed to have exfiltrated 941 gigabytes of data comprising 732,490 files before encrypting systems, and subsequently published the stolen data on its dark web leak site after Kettering Health declined to pay the ransom. The attack forced the health system to shut down approximately 600 digital applications, with staff reverting to pen and paper for patient records. The Epic electronic health record system was not restored until June 2, 2025, and normal operations did not resume until June 10. Shortly after the attack was detected, fraudulent phone calls targeting Kettering Health patients began, with callers claiming to be Kettering staff and requesting credit card payments for medical expenses, prompting the health system to suspend all billing-related outbound calls as a precaution.

What was said

In its official incident FAQ, Kettering Health stated: "Cybersecurity incidents like this are becoming increasingly sophisticated, even targeting large and well-protected organizations. As soon as we detected unauthorized activity, we acted immediately to contain it and began strengthening our systems further." The health system confirmed that network segmentation, enhanced monitoring, and updated access controls were implemented as part of its recovery, and that all attacker tools and persistence mechanisms were removed from its systems. Kettering Health declined to confirm whether a ransom payment was made, stating it would not comment on specific operational details of its response.

In the know

The 44 lawsuits consolidated against Kettering Health illustrate the patient safety consequences of ransomware extending far beyond data theft. According to Becker's Hospital Review, of the 44 individual complaints filed in Montgomery County Common Pleas Court, 37 allege delayed treatment and eight allege denial of care. Plaintiffs include patients receiving cancer treatment and other ongoing care who were left without access to medications and had appointments rescheduled months later or not rescheduled at all. The consolidated complaint asserts negligence, gross negligence, emotional distress, and breach of contract, with plaintiffs seeking compensatory damages exceeding $25,000, punitive damages, and attorneys' fees. According to DataBreaches.net, Kettering Health stated it is unaware of any misuse of the exposed information at this time.

The big picture

A 41-day dwell period before ransomware deployment reflects a pattern in which attackers prioritize data exfiltration over speed, maximizing leverage by accumulating stolen data before triggering an outage. Healthcare organizations face compounded exposure in this model: the operational disruption of encryption on top of the compliance and litigation exposure of confirmed data theft. According to the Paubox 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264% since 2018, and the average healthcare data breach now costs $9.8 million, according to IBM. The Kettering Health incident adds a further dimension: the lawsuits asserting denied and delayed care establish a legal theory in which the operational consequences of a ransomware attack, not just the data exposure, generate direct liability to patients whose treatment was interrupted.

FAQs

Why did it take nearly a year to confirm the number of individuals affected?

Large health systems must complete a detailed review of every file accessed during the intrusion period to determine who was affected and what data was involved. With 941 gigabytes across hundreds of thousands of files, that review takes months. HHS allows organizations to submit a placeholder figure of 501 while the analysis is ongoing, and the final total is updated once the review is complete.

What does a 41-day dwell period indicate about how the attack was executed?

A 41-day dwell period means the attacker had extended, undetected access to the network before deploying ransomware. During that window, Interlock mapped the environment, identified high-value data, and exfiltrated it before triggering the encryption that made the intrusion visible. Organizations that detect attackers only at the encryption stage have already lost the data.

Why did fraudulent scam calls targeting Kettering patients begin so quickly after the attack?

Interlock's data exfiltration included patient contact information, billing records, and financial details. Attackers or buyers of that data could immediately deploy social engineering campaigns targeting patients who were already anxious about disrupted care, making them more likely to respond to calls referencing their relationship with the health system.

What makes the patient care lawsuits different from standard data breach litigation?

Standard data breach class actions seek compensation for the risk of identity theft from exposed personal data. The Kettering lawsuits assert that the health system's failure to maintain operational continuity directly caused physical harm through delayed or denied medical treatment, a higher bar for damages that goes beyond data exposure to clinical outcomes.

What security controls are most relevant to preventing this type of prolonged intrusion?

Network segmentation limits how far an attacker can move once inside, reducing the volume of data accessible from a single point of compromise. Behavioral monitoring that detects anomalous access patterns during the dwell period can surface an intrusion before encryption is deployed. Immutable, isolated backups allow systems to be restored without paying a ransom even after encryption occurs.