
Cookeville Regional Medical Center Breach
Aug 2, 2025
20,521 rows
What happened in the Cookeville Regional Medical Center Breach?
DataBreach.com Team · August 27th 2025, 8:00 pm EDT
TL;DR: Our current parse of the Cookeville Regional Medical Center (CRMC) leak shows 13,300 unique Social Security numbers, alongside 20,500 street addresses, 8,500 phone numbers, and 7,700 email addresses. On Rhysida’s portal, the CRMC card lists a 538GB / 372,574-file data catalog and a 70% progress bar with the caption “Not sold data was uploaded, data hunters, enjoy.” Totals may increase as additional archives land.
What happened-and when
CRMC reported a network security incident in July 2025 that disrupted operations. Soon after, the Rhysida ransomware operation claimed responsibility, posted proof-of-theft samples, and advertised a 10-Bitcoin demand with an auction countdown-classic double-extortion.
Release status (why counts may rise)
The leak portal currently shows 538GB across 372,574 files and marks the dump 70% complete with a “not sold” caption-signaling a public release rather than a private sale. As remaining tranches arrive, de-duplication and entity linking typically nudge unique counts upward.
Our parse so far
- 13,300 unique SSNs
- 20,500 unique street addresses
- 8,500 unique phone numbers
- 7,700 unique email addresses
Figures are preliminary and will be updated if later archives materially change the picture.
What the data mix signals
The combination of SSN + full address + phone is the high-risk pattern for:
- Tax-refund fraud and synthetic identity creation
- Credit-file takeover and long-tail medical identity theft
- Targeted phishing and social-engineering attacks against both patients and staff
Healthcare leaks frequently include HR/finance records (e.g., W-2s, driver’s licenses) alongside patient data, expanding exposure beyond clinical files.
What’s confirmed vs. unknown
Confirmed
- Ransomware attack with operational disruption
- Rhysida’s public claim, proof samples, and 10-BTC auction language
- Ongoing public posting of the dataset (70% indicator).
Unknown (as of publication) - Final person-count totals and the hospital’s definitive list of data types
- Initial access vector (phishing, remote access, third-party, etc.)
- Whether the entire 538GB will ultimately post
Practical steps for affected individuals
- Place a credit freeze with all three major bureaus; consider a fraud alert
- Create/lock an IRS online account; watch transcripts for anomalies
- Review insurer EOBs for unfamiliar services and dispute immediately
- Rotate passwords for any patient/staff portals and enable MFA
- Save any official notice for documentation and rights timelines










