Cookeville Regional Medical Center (CRMC), a 309-bed hospital serving 14 counties across Tennessee and Kentucky, has notified 337,917 individuals that their personal and medical data was compromised in a Rhysida ransomware attack that occurred in July 2025. The breach notification was filed with the Office of the Maine Attorney General on April 14, 2026 — nearly nine months after the initial intrusion.
The Attack: July 11–14, 2025
CRMC determined that an unauthorized third party accessed its network and viewed or acquired certain files between July 11 and July 14, 2025. The hospital first became aware of unusual activity on July 13, 2025, when a "technical outage" disrupted some computer systems.
Despite the disruption, CRMC stated that patient care largely remained unaffected, though some scheduling delays and test result slowdowns were reported. The hospital's security team, external cybersecurity experts, and federal authorities worked to restore services.
Rhysida Claims the Attack
Barely two weeks after the breach, the Rhysida ransomware group listed CRMC on its dark web leak site on August 2, 2025, posting more than a dozen sample files as proof of the stolen data. The samples reportedly included:
- Driver's licenses
- Patient medical records
- Employee tax forms
- Financial documents dating back to 2018
Rhysida issued a $1,150,000 extortion demand, threatening to sell the full stolen cache if the hospital refused to pay. The listing date — more than two weeks after CRMC detected the breach — suggests negotiations with the group broke down before the public posting. It remains unclear whether any portion of the ransom was paid or whether the full dataset was subsequently sold.
Scale of the Breach
The breach affected 337,917 individuals, including patients, staff, and potentially vendors or partners. CRMC serves approximately 250,000 patients annually across 14 counties, with over 2,500 employees and 175 physicians. The stolen 500GB dataset is one of the larger healthcare data thefts reported in this period.
About Rhysida
Rhysida is a Russian-linked ransomware-as-a-service (RaaS) group that emerged in May 2023 and has since claimed more than 200 victims globally. The group targets organizations across healthcare, education, manufacturing, and government — sectors that often combine sensitive data with under-resourced security programs.
Rhysida's known tactics include:
| TTP | Description |
|---|---|
| Initial Access | Phishing emails, compromised remote access |
| Lateral Movement | Cobalt Strike for network exploitation |
| Ransomware Delivery | Custom Rhysida encryptor |
| Extortion | Double extortion — encryption plus data leak threat |
| Leverage | Patient safety risks used to pressure healthcare providers |
High-profile Rhysida victims include The Washington Times, the British Library, the City of Columbus, and multiple U.S. hospital systems including Prospect Medical Group and Lurie Children's Hospital.
Why Healthcare Remains a Prime Target
Healthcare organizations are disproportionately targeted by ransomware groups for several interconnected reasons:
- Urgency of operations — hospitals cannot afford extended outages without patient harm, increasing willingness to pay
- Sensitive data — medical records and patient PII command high prices and create strong extortion leverage
- Legacy systems — many healthcare environments run outdated software with unpatched vulnerabilities
- Under-resourced security — smaller regional hospitals like CRMC often lack the staffing and tooling of enterprise security teams
The Cookeville breach follows a well-established pattern: ransomware actors targeting regional or mid-tier healthcare providers that are large enough to hold valuable data but may lack the security posture of major academic medical centers.
What Affected Individuals Should Do
CRMC has begun sending breach notification letters to affected individuals. If you are or were a patient, employee, or associate of Cookeville Regional Medical Center:
- Review your notification letter for specifics on what data was included in the breach affecting you
- Monitor your credit — if financial documents were compromised, consider placing a fraud alert or credit freeze with the major bureaus (Equifax, Experian, TransUnion)
- Watch for medical identity theft — unauthorized use of your insurance or medical identity can affect your healthcare records and billing
- Be cautious of follow-on phishing — breach victims are often targeted by follow-on scams using the stolen data
- Enroll in identity monitoring if CRMC offers it as part of the notification response
Healthcare Ransomware: A Persistent Crisis
The Cookeville breach is far from an isolated incident. Healthcare ransomware attacks in 2025–2026 have resulted in:
- Dozens of regional hospitals disclosing breaches affecting hundreds of thousands of patients
- Documented patient harm from delayed procedures and unavailable records during ransomware incidents
- Growing regulatory pressure on healthcare organizations to improve cyber resilience under HIPAA and emerging sector-specific frameworks
The FBI's 2025 Internet Crime Report documented healthcare as one of the top sectors by ransomware impact, with recovery costs averaging tens of millions per incident when factoring in downtime, notification, legal fees, and remediation.
Source: SecurityWeek, Cybernews, SC Media, Migliaccio & Rathod LLP