Lawsuits filed after Kettering Health ransomware attack disrupted patient care

Legal action is mounting nearly a year after a cyberattack forced a major Ohio health system to shut down clinical systems and delay medical services.

What happened

Dozens of lawsuits have been filed against Kettering Health following a May 20, 2025, ransomware attack that disrupted operations and allegedly delayed medical treatment for patients. According to Becker’s Healthcare, the Interlock ransomware group claimed responsibility for the attack and said it exfiltrated roughly 941 GB of data before encrypting systems when a ransom was not paid. The cyberattack forced the Ohio health system to shut down around 600 digital applications and revert to manual documentation while systems were restored. Core components of the Epic electronic health record system were restored on June 2, 2025, and normal operations resumed around June 10. In the months since the incident, 44 lawsuits have reportedly been consolidated in Montgomery County Common Pleas Court in Ohio. Plaintiffs claim the disruption caused delayed treatment, cancelled appointments, prescription delays, and, in some cases, denial of care.

Going deeper

Investigators later confirmed that attackers had access to Kettering Health’s network for more than a month before the attack was detected. According to the health system’s update, unauthorized access began on April 9, 2025, and continued until May 20, when the intrusion was discovered, and access was terminated. During that period, attackers accessed or copied files containing patient information. The compromised data may include names, contact details, dates of birth, Social Security numbers, medical record numbers, treatment information, health insurance details, financial information, and government identification numbers. The breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights on July 21, 2025, using a placeholder estimate of 501 affected individuals. The final number of impacted patients has not yet been confirmed.

What was said

Kettering Health confirmed the restoration of systems during the recovery process, stating in an update that restoring its Epic electronic health record system “marks a major milestone in our broader restoration efforts and a vital step toward returning to normal operations.” The statement was issued by Kettering Health as the organization worked to bring clinical systems back online and resume digital patient record management following the cyberattack.

In the know

According to reporting by WLWT, attorney Michael Wright said his firm has filed lawsuits on behalf of about 200 patients who claim their medical treatment was delayed or denied following the cyberattack on Kettering Health, and he represents another 500 people whose personal information may have been stolen. Wright said, “This is not just a story of someone's social security number being on the dark web or their personal information being compromised. This is about people's health being stolen.” He also criticized the organization’s preparedness, stating, “They had no contingency plan, and they just stopped seeing patients. They stopped taking phone calls, and they started turning everybody away.” Wright said some cancer patients had to stop chemotherapy and lost access to their medical records, adding, “A lot of our clients were unable to go to other networks because their insurance company would not allow them to move. The ones that could transfer, they had to start all over. Testing from ground zero. They had to completely start over.” Attorney Robert Gresham said hospitals rely heavily on digital systems, stating, “When that digital backbone fails, care fails. And that's what these lawsuits are about.”

The big picture

Healthcare ransomware incidents can lead to lasting legal and operational consequences when patient care is disrupted. The Kettering Health cyberattack shows how a breach can escalate beyond a technical failure into lawsuits alleging delayed treatment, cancelled procedures, and denial of care. Investigators confirmed attackers had access to the network for more than a month before detection, a pattern cybersecurity researchers say is common across healthcare. A report titled What small healthcare practices get wrong about HIPAA and email security found that healthcare organizations take an average of 224 days to detect a breach and 84 days to contain it, leaving long periods where attackers can move through systems unnoticed. Another report, the 2025 mid-year email breach data reveals there’s no slowing down, found that the average cost of a healthcare breach has reached $11 million, the highest of any industry for 14 consecutive years, while ransomware attacks targeting healthcare providers have surged by 264 percent since 2018. Rick Kuwahara, Chief Information Security Officer at Paubox, said many healthcare organizations operate under a “false sense of security,” often recognizing their “security gaps after a serious incident occurs,” and when hospital systems are forced offline, the disruption can affect clinical workflows, treatment continuity, and patient safety across entire health networks.

FAQs

Why are ransomware attacks particularly disruptive to hospitals?

Hospitals depend on electronic health records, scheduling systems, and diagnostic platforms to coordinate care. When those systems are unavailable, staff may revert to manual processes that slow clinical workflows and delay treatment.

What is double extortion ransomware?

Double extortion attacks involve both encrypting an organization’s files and stealing data. Attackers threaten to publish the stolen information if the ransom is not paid.

What types of data were reportedly exposed in the Kettering Health incident?

Investigators said attackers accessed files containing patient and employee information, including personal identifiers, medical information, insurance data, and financial details.

Why do healthcare breaches often lead to lawsuits?

Patients may pursue legal claims if personal information is exposed or if disruptions to hospital systems result in delayed or denied medical care.

What steps do hospitals typically take after ransomware incidents?

Organizations often isolate affected systems, restore backups, investigate the breach, notify affected individuals, and implement additional security controls such as network segmentation and enhanced monitoring.