The Kettering Health ransomware attack occurred on May 20, 2025, when a cybercriminal group known as Interlock gained unauthorized access to the healthcare network’s systems. This incident disrupted services across 14 hospitals and numerous outpatient facilities in Ohio, leading to cancellations of medical procedures and challenges in patient care. Kettering Health, a nonprofit organization serving communities in the Dayton area, faced a system-wide outage that forced staff to use paper records and alternative communication methods.
Interlock, the ransomware group behind the attack, encrypted parts of the network and stole sensitive data, including patient and employee information. The group demanded a ransom, but when it was not paid, they leaked samples of the stolen data online. This breach exposed details such as identity documents, financial reports, and medical files, affecting potentially thousands of individuals. Recovery efforts took weeks, with key systems restored by early June 2025.
Patients and staff experienced real hardships during this time, like one nurse who shared how she had to rely on walkie-talkies to coordinate care, reminding us of the human side of cybersecurity threats in healthcare. The attack highlights the growing risks to medical organizations and the need for strong defenses.
What Happened During the Kettering Health Ransomware Attack?
The Kettering Health ransomware attack began on May 20, 2025, with unauthorized access to the network. Interlock, a ransomware group that emerged in late 2024, carried out the attack using a double-extortion method. This means they encrypted systems to lock out users and stole data to pressure the victim into paying. The group targeted Kettering Health, a network with 14 hospitals, over 100 outpatient locations, and services like emergency care and primary care in Ohio.
On that day, staff noticed unusual activity, including over 2 million login attempts in a short time. This triggered alerts, and the chief information officer informed CEO Michael Gentry during a meeting. Soon after, Homeland Security contacted the organization, confirming the severity. The attack disrupted electronic health records (EHR) systems, phone lines, and the patient portal called MyChart.
Interlock left a ransom note, threatening to release stolen data if demands were not met. Kettering Health chose not to pay, leading to the group leaking samples on June 5, 2025. The leaked data included 941 GB of files, such as payroll records, employee files, identity scans, Medicaid applications, pharmacy documents, financial reports, and patient information. This exposure raised concerns about identity theft and privacy violations for those affected.
The attack method involved exploiting vulnerabilities, though the exact entry points remain undisclosed. Ransomware groups like Interlock often use phishing emails or weak passwords to gain initial access. Once inside, they spread across the network, encrypting files and exfiltrating data. In this case, the quick detection helped limit some damage, but the outage lasted weeks.
Human stories emerged, like patients waiting for rescheduled surgeries or families struggling to reach loved ones in hospitals. One hypothetical example is a mother who couldn’t access her child’s medical history during an emergency visit, showing how such attacks touch everyday lives.

How Did the Ransomware Attack Impact Kettering Health’s Operations?
The ransomware attack caused a system-wide outage that halted normal operations at Kettering Health. Elective inpatient and outpatient procedures were canceled on May 20, 2025, and rescheduled later. Emergency departments stayed open but went on diversion at times, meaning they redirected patients to other hospitals like Premier Health Partners or Dayton Children’s.
Staff switched to manual processes, using pen and paper for records and walkie-talkies for communication. This slowed down care, as doctors could not access digital charts quickly. The call center faced high volumes, making it hard for patients to get appointments or refills. Retail pharmacies set up temporary phone numbers to handle requests.
Primary care and specialty clinics offered walk-in services for established patients starting May 27, 2025. This helped maintain some care, but new patients had limited options. The MyChart portal, used for viewing records and messaging providers, was down until partial restoration on June 9, 2025.
Financial impacts included lost revenue from canceled procedures and costs for recovery. Kettering Health spent resources on external experts and system upgrades. Patients reported frustrations, such as delays in treatments for conditions like cancer screenings or routine check-ups.
In a broader sense, the attack strained community resources. Nearby hospitals took on extra patients, showing how one organization’s breach affects the whole healthcare ecosystem. Imagine a doctor working extra hours with paper notes, feeling the stress of potential errors in a high-stakes environment.
Here are 5 key operational impacts:
- Cancellation of elective surgeries and procedures.
- Shift to manual record-keeping.
- Phone system disruptions are leading to high call wait times.
- Emergency department diversions.
- Limited access to patient portals.
Impact on Patient Care and Operations
The immediate impact of the ransomware attack on Kettering Health’s operations was significant. With critical IT systems offline, the healthcare system faced substantial challenges in delivering care to patients. The following areas were particularly affected:
Disrupted Medical Services
- Elective procedures: All scheduled inpatient and outpatient procedures were canceled initially
- Emergency services: While emergency departments remained open, they operated under diversion protocols temporarily
- Primary care: Walk-in care was limited to established patients at primary care locations
- Pharmacy services: Retail pharmacy operations were disrupted during the outage
Communication Challenges
- Phone systems: Both inbound and outbound phone lines were affected, making it difficult for patients to reach healthcare providers
- Scheduling tools: Appointment scheduling systems were offline, causing delays in rescheduling canceled procedures
- Patient portal: MyChart access was temporarily unavailable, limiting patients’ ability to view records or communicate with providers
Patient Care Delays
- Chemotherapy treatments: Some patients missed scheduled chemotherapy sessions
- Prescription access: Certain patients experienced difficulties obtaining necessary medications
- Medical records: Patients were unable to access their medical records during the outage
- Follow-up care: Delays in rescheduling appointments affected continuity of care for many patients
The human impact of these disruptions cannot be overstated. More than 200 patients reached out to a law firm reporting various issues, with some alleging that weeks after the attack, they were still experiencing delays in care and access to medical services.

What Data Was Stolen in the Kettering Health Ransomware Attack?
Interlock stole 941 GB of data from Kettering Health during the ransomware attack. This included 732,490 files in 20,418 folders. Specific items compromised were employee payroll information, identity document scans, police security files, Medicaid applications, pharmacy records, blood bank documents, financial revenue reports, corporate insurance files, tax information, budget reports, and patient files.
Kettering Health confirmed a small subset of patient data was taken, but the full scope was still under review. They reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights, listing 501 affected individuals as a placeholder. The actual number could be higher, as investigations continued.
Stolen data raises risks of identity theft, fraud, and privacy breaches. For example, exposed Social Security numbers or medical histories could lead to scams or discrimination. Employees might face payroll fraud, while patients worry about health information being sold on the dark web.
To protect those affected, Kettering Health planned to send notification letters with offers for credit monitoring and fraud protection services. This follows legal requirements for data breaches. Think of a patient receiving such a letter and feeling anxious about their personal details being out there, a common human reaction to these events.
Who is Behind the Attack: The Interlock Ransomware Group
The Interlock ransomware group claimed responsibility for the attack on Kettering Health. This cybercriminal organization has a history of targeting healthcare institutions with double extortion attacks—breaching networks, stealing sensitive data, and then encrypting files while demanding ransom payments to prevent data publication and provide decryption keys.
Interlock emerged as a significant threat in October 2024 and has since been tracked for 16 confirmed attacks, with an additional 17 attacks remaining unconfirmed by victims. The group has targeted various healthcare organizations, including:
- Davita (kidney dialysis service giant)
- Brockton Neighborhood Health Center in Massachusetts
- Drug and Alcohol Treatment Service in Pennsylvania
- Texas Tech University Health Sciences Center
- West Lothian Council in the UK
The attack methodology used by Interlock follows a predictable pattern. The group first gains unauthorized access to the target network, then identifies and exfiltrates sensitive data before deploying ransomware to encrypt files. They then demand payment to both decrypt the encrypted files and prevent the publication of stolen data on their dark web leak site.
Data Breach: What Information Was Compromised
The data breach aspect of the Kettering Health ransomware attack was particularly concerning. Interlock claimed to have stolen 941 GB of data containing 732,490 files spread across 20,418 folders before deploying the ransomware. The stolen information included a wide range of sensitive data types:
Patient Information
- Medical records: Complete patient files containing medical histories and treatment information
- Personal identification: Scans of identity documents and driver’s licenses
- Insurance information: Details about patients’ insurance coverage
- Billing data: Payment information and financial details related to medical services
Employee Data
- Payroll information: Details about employee compensation and payment history
- Personnel files: Complete employee records containing personal and professional information
- Security personnel files: Information about security staff and their assignments
Organizational Documents
- Pharmacy and blood bank documents: Records related to pharmaceutical services and blood products
- Financial reports: Revenue reports, budget information, and corporate tax documents
- Corporate insurance files: Details about the organization’s insurance coverage
- Medicaid application documents: Information related to Medicaid enrollment and claims
The scope of the data breach raised serious concerns about identity theft and fraud. Kettering Health initially stated that only “a small subset” of patient data was accessed, but the sheer volume of data claimed by Interlock suggested a much broader impact. The healthcare system registered a placeholder of 501 individuals with the HHS’ Office for Civil Rights, though this number was likely to increase as the investigation continued.
How Did Kettering Health Respond to the Ransomware Attack?
Kettering Health responded to the ransomware attack by immediately terminating the attackers’ access to the network. They worked with over 200 internal and external experts, including their information systems team, clinical staff, and Epic EHR specialists.
Key steps included containing the threat, assessing vulnerabilities, and patching systems. They implemented network segmentation to isolate affected areas, enhanced monitoring for suspicious activity, and updated access controls to prevent future breaches. By June 5, 2025, all ransomware tools were removed from the systems.
Recovery milestones were:
- May 23, 2025: Set up a temporary urgent clinical support line (937-600-6879) staffed by nurses.
- June 2, 2025: Restored core Epic EHR components for direct patient data entry.
- June 9, 2025: Resumed all surgeries and limited MyChart access.
- June 10, 2025: Returned to normal operations for key services like imaging, pharmacy, and office visits.
CEO Michael Gentry emphasized employee innovation, allowing staff to suggest solutions rather than sticking to strict hierarchies. This approach sped up recovery. They also warned about scam calls pretending to be from Kettering Health, advising caution with personal information.
Collaboration with community partners helped manage patient loads. Ongoing training for employees on cybersecurity was added to build resilience. A staff member might recall the teamwork during recovery as a bonding experience amid chaos.
What Legal Actions Followed the Kettering Health Ransomware Attack?
A class-action lawsuit was filed against Kettering Health weeks after the ransomware attack. The suit claims negligence in protecting data, seeking damages for affected individuals. It argues the organization failed to implement adequate security measures, leading to the breach.
Kettering Health complied with regulatory reporting by notifying the HHS Office for Civil Rights. This is required under HIPAA for breaches involving protected health information. They also prepared to notify affected people directly, offering free credit monitoring.
Potential fines from regulators could arise if violations are found. The lawsuit highlights accountability in healthcare cybersecurity. Patients involved might feel empowered by seeking justice, adding a human layer to legal proceedings.
How Can Healthcare Organizations Prevent Ransomware Attacks Like the One on Kettering Health?
Healthcare organizations prevent ransomware attacks by implementing strong cybersecurity measures. Regular software updates and patches close vulnerabilities that attackers exploit. Employee training on recognizing phishing emails reduces risks, as many attacks start with social engineering.
Use multi-factor authentication for all accounts to add security layers. Network segmentation limits damage if one area is breached. Backup important data offline or in secure clouds, tested regularly for quick restoration.
Here are 8 key prevention steps:
- Conduct regular security audits.
- Train staff on cyber threats.
- Use advanced antivirus software.
- Implement access controls.
- Monitor networks for unusual activity.
- Develop incident response plans.
- Partner with cybersecurity experts.
- Encrypt sensitive data.
Privileged Access Management (PAM) tools remove permanent admin rights, granting access only when needed. This curbs attacker movement. A hospital administrator might share how these steps saved time and stress in drills.
| Prevention Measure | Benefits | Examples |
|---|---|---|
| Employee Training | Reduces human errors | Phishing simulations |
| Network Segmentation | Contains breaches | Isolate EHR systems |
| Data Backups | Enables quick recovery | Daily offsite copies |
| Multi-Factor Authentication | Blocks unauthorized access | SMS codes or apps |
What Lessons Did the Healthcare Industry Learn from the Kettering Health Ransomware Attack?
The Kettering Health ransomware attack taught the healthcare industry to prioritize flexible response plans. Traditional top-down approaches slow recovery, while empowering staff speeds it up. Preparedness for manual operations ensures care continues during outages.
Invest in robust defenses against emerging threats like Interlock. Regular drills simulate attacks to test responses. Collaboration with other hospitals shares resources and knowledge.
The attack shows ransomware targets healthcare due to sensitive data and operational urgency. CEO Gentry noted it’s part of larger global strategies to harm U.S. infrastructure. Lessons include budgeting for cybersecurity and fostering a culture of vigilance.
Industry-wide, it pushes for better regulations and funding. A lesson for all: Cyber threats evolve, so defenses must too. Reflect on a doctor’s relief when systems return, underscoring resilience.
Protecting Yourself After a Healthcare Data Breach
If you were affected by the Kettering Health data breach or any similar healthcare data breach, there are several steps you can take to protect yourself from potential identity theft and fraud:
Immediate Actions
- Monitor accounts: Keep a close eye on your financial accounts for any suspicious activity
- Check credit reports: Review your credit reports from all three major credit bureaus
- Change passwords: Update passwords for any online accounts, especially those related to healthcare
- Enable two-factor authentication: Add an extra layer of security to your online accounts
Long-term Protection
- Credit monitoring: Consider enrolling in a credit monitoring service for ongoing protection
- Fraud alerts: Place fraud alerts on your credit reports to make it harder for identity thieves to open accounts
- Security freeze: Consider a security freeze on your credit reports to prevent new accounts from being opened
Recognizing Scams
After a data breach, scammers often try to take advantage of the situation. Be wary of:
- Phone calls claiming to be from Kettering Health or other healthcare providers asking for payment or personal information
- Emails with links or attachments related to the data breach
- Text messages requesting personal information or payment
Remember that legitimate healthcare organizations will not call you asking for payment unless it has been pre-arranged through secure channels. If you receive a suspicious communication, contact the organization directly using a phone number or website you know is authentic.
FAQ: Kettering Health Ransomware Attack
When did the Kettering Health ransomware attack occur?
The Kettering Health ransomware attack occurred on May 20, 2025, when the healthcare system experienced a system-wide technology outage affecting all 14 of its medical centers.
Who was responsible for the attack?
The Interlock ransomware group claimed responsibility for the attack. This cybercriminal organization has been active since October 2024 and has targeted multiple healthcare institutions.
Was patient data stolen during the attack?
Yes, patient data was stolen during the attack. Interlock claimed to have stolen 941 GB of data containing 732,490 files, including patient records, financial information, and employee data.
Did Kettering Health pay the ransom?
No, Kettering Health did not confirm paying the ransom. The organization stated they were not commenting on specific operational details of their response, but Interlock posted the stolen data on their dark web site, indicating the ransom was not paid.
How long did it take for Kettering Health to recover?
It took approximately three weeks for Kettering Health to resume normal operations for key services. The core components of their Epic EHR system were restored on June 2, 2025, and normal operations for key services resumed by June 10, 2025.
Was there a lawsuit filed against Kettering Health?
Yes, a class-action lawsuit was filed against Kettering Health by attorneys representing patients affected by the attack. The lawsuit accused the healthcare system of negligence and failing to protect patients.
What should I do if I was affected by the data breach?
If you were affected, you should monitor your financial accounts, check your credit reports, change passwords, enable two-factor authentication, and be wary of scams. Kettering Health stated they would notify affected individuals directly and may offer credit monitoring services.
Has Kettering Health improved its security since the attack?
Yes, Kettering Health implemented several security enhancements including network segmentation, enhanced monitoring, updated access controls, and improved employee security training to prevent future attacks.
Are other healthcare organizations at risk of similar attacks?
Yes, healthcare organizations are frequent targets of ransomware attacks due to the value of patient data and the critical nature of healthcare services. The Interlock group alone has claimed responsibility for attacks on multiple healthcare institutions.
How can I protect myself from healthcare data breaches?
To protect yourself, monitor your accounts regularly, use strong unique passwords, enable two-factor authentication, be cautious about sharing personal information, and stay informed about data breaches that may affect you.
Conclusion
The Kettering Health ransomware attack on May 20, 2025, exposed vulnerabilities in healthcare systems and the severe consequences of cyber threats. Interlock’s actions disrupted care, stole data, and led to legal challenges, but Kettering Health’s response showed resilience through teamwork and innovation. This event serves as a reminder for all organizations to strengthen defenses and prepare for incidents. By learning from it, the industry can better protect patients and maintain trust. In the end, human dedication turned a crisis into an opportunity for improvement.


