Cookeville Regional Medical Center, a 309-bed hospital in Cookeville, Tennessee, suffered a ransomware attack between July 11 and July 14, 2025. The hospital discovered the incident on July 14 when the attack caused a technical outage of computer systems. The Rhysida ransomware-as-a-service group claimed responsibility on August 2, 2025 by listing CRMC on its dark-web leak site, demanding a 10 Bitcoin ransom worth approximately \$1.15 million at the time. After failing to find a buyer, Rhysida published the stolen data freely; the published archive reportedly comprised approximately 538 gigabytes across more than 372,000 files.\n\nThe publicly circulating dataset analysed by breach-tracking services included approximately 13,300 unique Social Security numbers, 20,500 street addresses, 8,500 phone numbers, and 7,700 email addresses. The CRMC formal disclosure to the Maine Attorney General put the total individuals affected at 337,917. Compromised fields per the official disclosure included names, dates of birth, addresses, Social Security numbers, driver's license numbers, financial account numbers, medical treatment information, medical record numbers, and health insurance policy information. Notification letters were mailed beginning April 14, 2026.\n\nFor affected patients, the practical risk profile combines severe identity-fraud exposure with hospital-specific risks. The combination of name, date of birth, address, Social Security number, and driver's license number is a strong base for synthetic identity fraud and fraudulent credit applications. Financial account number exposure raises direct payment-fraud risk. Inclusion in the dataset confirms a hospital-care relationship and may include sensitive treatment information that supports medical-themed scams. Affected patients should accept the Experian identity-theft protection offered by CRMC, freeze credit at all three U.S. bureaus, monitor financial accounts and health-insurance statements closely, and treat unsolicited contact referencing CRMC or any past hospital visit with caution.

Regional medical centers collect patient identity, contact, insurance, billing, appointment, and clinical records across hospital and administrative workflows.

CRMC discovered the ransomware attack on July 14, 2025 when unusual network activity caused a technical outage. The hospital reported the incident publicly on July 15, 2025, secured systems with assistance from outside cybersecurity experts, and notified law enforcement. The Rhysida ransomware-as-a-service group claimed responsibility on August 2, 2025 by listing CRMC on its dark-web leak site and demanding a ransom of 10 Bitcoin (worth approximately \$1.15 million at the time). Rhysida subsequently published the stolen data freely after failing to find a buyer. CRMC mailed breach notification letters to affected individuals on April 14, 2026, approximately nine months after detection. The hospital is offering twelve months of complimentary identity theft protection through Experian.