Kettering Health Confirms Interlock Ransomware Breach and Data Theft
On the morning of May 20, 2025, Kettering Health, a major Ohio-based healthcare provider operating 14 medical centers and over 120 outpatient facilities, was struck by a sophisticated ransomware attack that forced a system-wide technology outage.
The incident, attributed to the Interlock ransomware group, resulted in unauthorized access to the health system’s network, encrypting critical patient care systems and effectively paralyzing digital operations.
As a result, all elective inpatient and outpatient procedures were canceled for the day, and the organization’s call center was rendered inaccessible.
Ransomware, a type of malware that encrypts data and demands payment for its release, has become a growing threat to healthcare organizations.
In this case, the attackers also allegedly exfiltrated sensitive patient data, threatening to publish it on the dark web unless negotiations were initiated within 72 hours—a tactic known as “double extortion”.
Kettering Health’s IT teams, following incident response protocols, immediately shut down all network-connected devices to contain the breach and prevent further spread of the malware.
A Multi-Phase Approach
In the days following the attack, Kettering Health implemented a comprehensive incident response plan.
The priority was the complete removal of threat actors’ tools and persistence mechanisms from the network.
Security partners and internal teams conducted thorough reviews of all systems, implementing network segmentation, enhanced monitoring, and updated access controls to prevent future intrusions.
All identified vulnerabilities were patched, and ongoing protection measures were reinforced, including employee security training and regular system audits.
To maintain patient care, Kettering Health activated contingency protocols, relying on manual processes such as paper-based records for clinical documentation.
The organization established temporary phone lines for urgent clinical questions and medication refills, ensuring that patients with critical needs could still access care.
For example, patients requiring urgent assistance were directed to call (937) 600-6879 during business hours.
Additionally, walk-in availability was expanded for established patients across primary and specialty care locations, and emergency departments remained open, albeit with some diversion of ambulances to neighboring hospitals during the initial phase of the outage.
Milestones and Ongoing Challenges
By June 2, Kettering Health had restored core components of its Epic electronic health record (EHR) system, a major milestone that re-enabled the updating and accessing of patient records and improved communication among care teams.
Over 200 staff members and Epic partners worked around the clock to achieve this milestone.
However, full restoration of services—including in- and outbound calling and patient portal access via MyChart—remained ongoing as of early June.
Despite these advances, patients continued to experience disruptions.
Many reported difficulties reaching their care teams, delays in medication refills, and limited access to MyChart.
The organization urged the public to remain vigilant against scam calls and phishing attempts, which increased in frequency following the attack.
Kettering Health reiterated that it would not request payment for medical expenses over the phone until further notice and advised anyone receiving suspicious communications to report them to law enforcement.
Risk Factors and Technical Considerations
The Kettering Health incident highlights several critical risk factors for healthcare organizations in the digital age.
Below is a summary table of key risks, their descriptions, and impact levels:
| Risk Factor | Description | Impact Level |
|---|---|---|
| Ransomware Attack | Malicious software encrypts or locks data until ransom is paid | High |
| Unauthorized Network Access | Unauthorized users gain access to sensitive network systems | High |
| Data Exfiltration | Sensitive data accessed and potentially stolen by attackers | High |
| System-wide Technology Outage | Complete outage of IT systems affecting all facilities | High |
| Disruption of Patient Care | Cancellation of elective procedures and diversion of emergency cases | Medium |
| Scam Calls and Fraud Attempts | Fraudulent calls requesting payments from patients | Medium |
| Delayed Recovery Time | Longer time required to restore systems and operations | High |
| Use of Legacy Systems | Older systems that may lack modern security features | Medium |
| Double Extortion Tactics | Attackers use stolen data to increase leverage for ransom | High |
| High Cost of Downtime | Financial losses due to operational downtime and recovery efforts | High |
Kettering Health’s response to the ransomware attack demonstrates the importance of robust cybersecurity frameworks, rapid incident response, and transparent communication with patients and staff.
While significant progress has been made in restoring services, the incident underscores the ongoing threat posed by cybercriminals to healthcare organizations and the need for continuous investment in both technology and training to safeguard patient data and ensure uninterrupted care.
As Kettering Health moves forward, its experience serves as a cautionary tale for the healthcare sector and a blueprint for resilience in the face of cyber adversity.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
