Cookeville Regional Medical Center hospital data breach impacts 337,917 people

The Cookeville Regional Medical Center (CRMC) in Tennessee suffered a significant ransomware attack attributed to the Rhysida threat actor group. Detected in July 2025, the intrusion resulted in the exfiltration of approximately 500GB to 538GB of sensitive data, impacting roughly 337,000 individuals. Compromised information includes personally identifiable information (PII) and protected health information (PHI), such as Social Security numbers, medical records, and financial details. Although the data was leaked on the group's Tor site after no ransom was paid, no confirmed misuse has been reported yet. CRMC engaged law enforcement and forensic investigators to contain the breach. Affected individuals are being notified via mail and offered free identity theft protection services. Recommendations include monitoring credit reports and reporting suspicious activity. This incident highlights the ongoing risk ransomware poses to healthcare infrastructure and patient data security.

A ransomware attack on Cookeville Regional Medical Center hospital (Tennessee) exposed data of 337,000 people after hackers stole 500GB of sensitive information from its systems. A ransomware attack on Cookeville Regional Medical Center (CRMC) in Tennessee led to a major data breach affecting about 337,000 people. The attack, carried out by the Rhysida group, involved […]

The Cookeville Regional Medical Center (CRMC) in Tennessee suffered a significant ransomware attack attributed to the Rhysida threat actor group. Detected in July 2025, the intrusion resulted in the exfiltration of approximately 500GB to 538GB of sensitive data, impacting roughly 337,000 individuals. Compromised information includes personally identifiable information (PII) and protected health information (PHI), such as Social Security numbers, medical records, and financial details. Although the data was leaked on the group's Tor site after no ransom was paid, no confirmed misuse has been reported yet. CRMC engaged law enforcement and forensic investigators to contain the breach. Affected individuals are being notified via mail and offered free identity theft protection services. Recommendations include monitoring credit reports and reporting suspicious activity. This incident highlights the ongoing risk ransomware poses to healthcare infrastructure and patient data security. A ransomware attack on Cookeville Regional Medical Center hospital (Tennessee) exposed data of 337,000 people after hackers stole 500GB of sensitive information from its systems. A ransomware attack on Cookeville Regional Medical Center (CRMC) in Tennessee led to a major data breach affecting about 337,000 people. The attack, carried out by the Rhysida group, involved […] A ransomware attack on Cookeville Regional Medical Center hospital (Tennessee) exposed data of 337,000 people after hackers stole 500GB of sensitive information from its systems. A ransomware attack on Cookeville Regional Medical Center (CRMC) in Tennessee led to a major data breach affecting about 337,000 people. The attack, carried out by the Rhysida group , involved the theft of around 500GB of data, exposing sensitive information from the hospital. Cookeville Regional Medical Center detected suspicious activity on July 14, 2025, and quickly launched an investigation with law enforcement and a forensic firm. It found that an unauthorized party accessed its network between July 11 and 14, potentially viewing or stealing sensitive data. After completing its investigation, CRMC reviewed the affected files and confirmed that personal data was exposed. Depending on the individual, this may include names, addresses, dates of birth, Social Security and driver’s license numbers, financial details, and medical or insurance information. The hospital is notifying affected individuals by mail where possible. “The forensic investigation determined that an unauthorized third party accessed CRMC’s computer network and viewed or acquired certain files between July 11, 2025, and July 14, 2025. Based on the results of its investigation, CRMC conducted a comprehensive review of the affected files to determine if they contained any personal information that was viewed or acquired by the third party.” reads the notice of data breach “CRMC identified the personal information of certain individuals. Depending on the individual, the personal information may include their name, address, date of birth, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and/or health insurance policy information. CRMC is mailing notification letters to individuals for whom they have a valid address and whose information was in the affected files.” CRMC advises affected individuals to follow the guidance in notification letters to protect themselves. While no misuse of data has been confirmed, the hospital offers free identity theft protection to those impacted. People should monitor accounts and credit reports, report suspicious activity, and contact authorities if fraud is suspected. They can also consult FTC resources for tips on fraud alerts and credit protection. According to the notification sent to the Maine Attorney General’s Office, the incident impacted 337,000 people. In August 2025, the Rhysida ransomware group added the healthcare organization to its Tor data leak site, claiming the theft of 538 GB of data. However, none bought the stolen data, and the group leaked it for free. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini ( SecurityAffairs – hacking, ransomware)