Kettering Health Hack: Ransomware Group Takes Responsibility

Ransomware Attack on Kettering Health: Interlock Group Claims Responsibility

A ransomware gang has asserted responsibility for the cyberattack impacting Kettering Health, a comprehensive network encompassing hospitals, clinics, and medical centers situated in Ohio.

The healthcare system continues its recovery process, now two weeks following the ransomware attack which necessitated the complete shutdown of all computer systems.

Interlock Ransomware Group and Data Breach

Interlock, a relatively recent ransomware group actively targeting healthcare organizations within the United States since September 2024, announced its involvement.

The group published a statement on its official dark web site, claiming the successful exfiltration of over 940 gigabytes of data from Kettering Health’s systems.

Initial reports by CNN on May 20th identified Interlock as the perpetrator of the breach at Kettering Health.

However, at that time, the group had not publicly acknowledged its role. This often suggests ongoing attempts to secure a ransom payment from the victim through threats of data release.

The group’s recent public claim may indicate stalled negotiations regarding a potential ransom.

Kettering Health's Response

John Weimer, Kettering Health’s senior vice president of emergency operations, previously confirmed to local news outlets that the organization had not yielded to the hackers’ demands for a ransom.

Claire Myree, a spokesperson for Kettering Health, declined to provide a statement when contacted by TechCrunch on Wednesday.

Requests for comment directed to an email address associated with Interlock’s dark web presence remained unanswered.

Stolen Data Details

A preliminary examination of files published by Interlock on the dark web reveals the compromise of a wide range of data from Kettering Health’s internal network.

This includes sensitive patient health information, such as names, identification numbers, and detailed clinical summaries compiled by physicians.

These summaries encompass crucial patient data categories, including mental status evaluations, medication lists, and documented health concerns.

Furthermore, stolen data extends to employee records and the contents of shared network drives.

Notably, one folder contained sensitive documents pertaining to officers of the Kettering Health Police Department, including background checks, polygraph results, and other personally identifiable information.

Restoration Efforts and System Recovery

On Monday, Kettering Health released an update regarding the cyberattack, announcing the successful restoration of “core components” of its electronic health record system.

This system is provided by Epic, a leading healthcare software company.

The company characterized this restoration as “a major milestone” in their overall recovery efforts, representing “a vital step toward returning to normal operations.”

The restored functionality enables the organization to update and access electronic health records, improve communication between care teams, and enhance the coordination of patient care with increased efficiency.