Interlock ransomware claims Kettering Health breach, leaks stolen data

The Interlock ransomware gang has claimed a recent cyberattack on the Kettering Health healthcare network and leaked data allegedly stolen from breached systems.

Kettering Health employs over 15,000 people, including more than 1,800 physicians, and it manages 14 medical centers and over 120 outpatient facilities in western Ohio.

The nonprofit organization disclosed a cyberattack on May 20 that triggered an outage affecting its call center and some patient care systems, leaving staff without access to computerized charting systems and forcing care teams back to pen and paper. The incident also led to canceled elective inpatient and outpatient procedures, while emergency rooms and clinics remained open and continued seeing patients.

On Monday, Kettering Health issued an update saying it restored access to its electronic health record (EHR) system, with additional work being needed to bring back online the MyChart medical record application system for patients and call centers at affected facilities and practices.

Until phone systems are restored, Kettering Health provides a temporary phone line staffed by registered nurses for patients with urgent clinical questions.

While the healthcare network has yet to attribute the breach to a specific threat group, the Interlock ransomware operation claimed responsibility for the attack this week and published samples of allegedly stolen data, confirming previous reporting that Interlock was likely behind the attack.

​The ransomware group claims they stole 941 GB of data, including over 20,000 folders containing 732,489 documents with sensitive information.

This data allegedly includes bank reports, payroll information, patients’ data, pharmacy and blood bank documents, Kettering Health police personnel files, and scans of identity documents, including passports.

Interlock is a newer ransomware operation that surfaced in September 2024 and has claimed responsibility for dozens of victims worldwide, many of them from healthcare organizations.

This cybercrime gang has also been linked to ClickFix attacks, impersonating IT tools to gain initial access to the targets’ networks, and a previously unknown remote access trojan (RAT) named NodeSnake deployed in attacks against U.K. universities earlier this year.

Most recently, Interlock has claimed the breach of DaVita, a Fortune 500 kidney care provider with over 2,600 U.S. dialysis centers, and released 1.5 terabytes of data allegedly stolen from the organization’s network.

A Kettering Health spokesperson didn’t share additional details regarding the incident when contacted by BleepingComputer after the attack.