Ohio’s Kettering Health hit by ransomware, forcing mass procedure cancellations and system shutdowns across its network.
What happened
Kettering Health, a nonprofit healthcare network in Ohio, experienced a system-wide technology outage following a ransomware attack that disrupted operations across its 14 medical centers and more than 120 outpatient facilities. On May 20, elective inpatient and outpatient procedures were abruptly canceled, and the organization’s call center also went offline. Emergency rooms and clinics remain open.
The network, which employs over 15,000 staff members including 1,800 physicians, confirmed the cyberattack in a statement but did not initially specify the nature of the incident or whether patient data was compromised.
Going deeper
While Kettering Health has not formally disclosed the full scope of the attack, cybersecurity firm PRODAFT attributed the breach to a threat actor known as “Nefarious Mantis,” a group linked to the Interlock ransomware operation. This group has previously targeted U.S. healthcare and biotech companies, using the Interlock RAT (Remote Access Trojan) for reconnaissance before deploying ransomware to encrypt systems and disrupt operations.
CNN also reported that Interlock may be behind the Kettering attack. According to a ransom note, the attackers claim to have exfiltrated files and threatened to leak them unless a ransom is paid. Despite this, Interlock has not yet listed Kettering Health on its dark web data leak site, and no group has publicly taken responsibility.
Kettering is also facing a wave of scam calls impersonating staff and asking patients for credit card information. Though these calls haven't been directly linked to the breach, the organization has halted all payment-related phone outreach as a precaution.
What was said
In its public statement, Kettering Health says the impact of the outage and the steps being taken to safeguard patients: “Elective inpatient and outpatient procedures... have been canceled... Our emergency rooms and clinics are open and continuing to see patients.”
The organization also warned about scam attempts: “Out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice.”
The big picture
Groups such as Interlock have adopted more aggressive tactics, combining data theft with extortion demands. In response, healthcare organizations may need to invest in stronger cybersecurity protocols and adopt more proactive strategies to reduce exposure to these types of attacks.
FAQs
Who is “Nefarious Mantis” and what is their connection to the attack?
Nefarious Mantis is a cybercriminal group associated with the Interlock ransomware operation. They are known for using remote access tools to surveil healthcare and biotech networks before deploying ransomware.
Has Kettering Health confirmed if any patient data was stolen?
As of now, Kettering Health has not confirmed whether any patient data was compromised in the attack.
What should patients do if they receive suspicious calls claiming to be from Kettering Health?
Patients should hang up immediately and contact Kettering Health through verified channels. The organization has suspended all payment-related phone outreach due to scam attempts.
Why are ransomware groups increasingly targeting healthcare providers?
Healthcare organizations often rely on uninterrupted digital access for patient care, making them more likely to pay ransoms quickly to restore services making them attractive targets for attackers.
What are the potential long-term effects of this type of cyberattack on healthcare systems?
Beyond immediate operational disruption, such attacks can lead to reputational damage, financial loss, delayed care, and regulatory investigations.
Farah Amod
