Kettering Health Breach
May 20, 2025
56,540 rows
What happened in the Kettering Health Breach?
DataBreach.com Team · June 15th 2025, 8:00 pm EDT
Incident Overview
On May 20 2025, Kettering Health-a not-for-profit network of 14 hospitals and 120+ outpatient sites in western Ohio-discovered a ransomware attack that triggered a “system-wide technology outage.” Phone lines, the Epic electronic health-record (EHR) system, scheduling platforms, and other clinical applications were abruptly encrypted, forcing clinicians to revert to paper charts and reroute some ambulances. Emergency rooms, however, stayed open under downtime protocols.
Kettering immediately initiated its incident-response playbook: it segmented affected networks, pulled critical servers offline, and brought in third-party forensics specialists while notifying federal law-enforcement partners. By June 2-less than two weeks later-the core components of Epic were back online, and on June 13 the organization declared “normal operations” for key services such as surgery, imaging, retail pharmacy, and outpatient visits.
Discovery and Containment
The June 5 status report confirmed that investigators had “eradicated all of the ransomware group’s tools and persistence mechanisms,” applied emergency patches, and hardened segmentation, access-control, and monitoring rules across its environment.
More than 200 internal IT and clinical personnel-along with Epic engineers-worked around the clock to rebuild infrastructure and clear backlogs of manually captured patient data.
Data-Exposure Claims Emerge
On June 4 2025 the Interlock ransomware gang publicly claimed responsibility, boasting on its leak site that it had exfiltrated about 941 GB-roughly 732,000 files stored in 20,000 folders-before launching encryption. Early leaked samples reviewed by journalists and researchers included:
- Patient names, medical-record numbers, clinical summaries, medication lists, mental-health notes
- Scans of identity documents and payroll files for employees
- Financial revenue reports, insurance files, blood-bank and pharmacy documents
When negotiations stalled, Interlock began publishing portions of the haul on the dark web. Kettering acknowledged the postings but emphasized that only “a small subset” of patient data appears affected and that a file-by-file review is under way to determine whose information was involved.
Impact on Patients
The breach’s immediate operational fallout was significant:
- Diversions & cancellations: Several facilities temporarily diverted ambulances and cancelled elective procedures the week of May 20.
- Communication outages: Phone lines and the MyChart patient portal were intermittently unusable until mid-June.
- Scam activity: Kettering warned of fraudulent calls demanding credit-card payments for medical bills and advised patients to hang up and contact police.
Based on leaked samples and court filings, the following categories of personally identifiable information (PII) may have been compromised: - Full name
- Date of birth & Social Security number
- Health-insurance details
- Clinical notes / diagnosis information
- Payment-card or banking data
- Employee HR and payroll records
Not every individual’s data was exposed; you can search DataBreach.com’s lookup tool to check specific records.
Separately, a class-action lawsuit filed in Montgomery County on June 16 alleges that Kettering’s security controls were inadequate and that service disruptions caused missed appointments-even for oncology and orthopedic patients.
Kettering Health’s Ongoing Investigation
Kettering says its forensic investigation “remains active.” Notices will be mailed directly to affected individuals, including offers of credit-monitoring or identity-theft protection where warranted.
The health system is also collaborating with vendors to tighten network segmentation and implement additional zero-trust controls, while law-enforcement agencies pursue Interlock.
