Cookeville Regional Medical Center 2025 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
Cookeville Regional Medical Center Hospital Breach (2025): Patient SSN & Home Address Exposed
Regional medical center providing hospital and specialty care.
Verified by ObscureIQ Intelligence
77/100Breach Risk Index
27Data Value
40Market Recency
242dSince Breach
Breach Intelligence Summary
Entity: Cookeville Regional Medical Center · Actor: Rhysida · Sources: 2 references
Attack: Ransomware
Profile: Healthcare provider · Hospital and clinical services · Regional medical center · USA
Timeline: Breach (2025-08-02) · Indexed (Aug 28, 2025) · Year (2025)
Exposure: 21K records · 4 fields: Email Address, Phone Number, Physical Address, Social Security Number
Status: Reported
Executive Summary
Cookeville Regional Medical Center, a 309-bed hospital in Cookeville, Tennessee, suffered a ransomware attack between July 11 and July 14, 2025. The hospital discovered the incident on July 14 when the attack caused a technical outage of computer systems. The Rhysida ransomware-as-a-service group claimed responsibility on August 2, 2025 by listing CRMC on its dark-web leak site, demanding a 10 Bitcoin ransom worth approximately \$1.15 million at the time. After failing to find a buyer, Rhysida published the stolen data freely; the published archive reportedly comprised approximately 538 gigabytes across more than 372,000 files.\n\nThe publicly circulating dataset analysed by breach-tracking services included approximately 13,300 unique Social Security numbers, 20,500 street addresses, 8,500 phone numbers, and 7,700 email addresses. The CRMC formal disclosure to the Maine Attorney General put the total individuals affected at 337,917. Compromised fields per the official disclosure included names, dates of birth, addresses, Social Security numbers, driver's license numbers, financial account numbers, medical treatment information, medical record numbers, and health insurance policy information. Notification letters were mailed beginning April 14, 2026.\n\nFor affected patients, the practical risk profile combines severe identity-fraud exposure with hospital-specific risks. The combination of name, date of birth, address, Social Security number, and driver's license number is a strong base for synthetic identity fraud and fraudulent credit applications. Financial account number exposure raises direct payment-fraud risk. Inclusion in the dataset confirms a hospital-care relationship and may include sensitive treatment information that supports medical-themed scams. Affected patients should accept the Experian identity-theft protection offered by CRMC, freeze credit at all three U.S. bureaus, monitor financial accounts and health-insurance statements closely, and treat unsolicited contact referencing CRMC or any past hospital visit with caution.
ObscureIQ assessment: Severe risk of identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.
Breach Impact
CRMC faces significant institutional exposure given the size of the affected population relative to its regional service area. Federal HIPAA notification obligations, an Office for Civil Rights review, multistate attorney-general filings, and active class-action litigation discussions are all underway. The CRMC incident ranks as the eighth-largest U.S. healthcare ransomware breach of 2025 by records compromised. Operationally, the ransomware attack caused a technical outage that disrupted scheduling and X-ray result delivery for several days, with reported delays for outpatient appointments and surgeries. The reputational impact is concentrated within the Upper Cumberland region of Tennessee, where CRMC is the dominant regional hospital and patient retention is unusually consequential.
About Cookeville Regional Medical Center
Cookeville Regional Medical Center (CRMC) is a 309-bed regional hospital based in Cookeville, Tennessee, serving the Upper Cumberland region across fourteen counties. The hospital provides emergency care, inpatient services, and a broad set of outpatient programs, with the surrounding system handling approximately 47,000 emergency room visits, 13,000 inpatient admissions, and nearly 200,000 outpatient visits annually. CRMC employs around 2,660 staff including 285 physicians. As a HIPAA-regulated regional hospital, CRMC maintains substantial volumes of protected health information including patient identity, insurance, billing, diagnostic, and treatment records across its hospital and outpatient operations.
Why They Hold Your Data
Regional medical centers collect patient identity, contact, insurance, billing, appointment, and clinical records across hospital and administrative workflows.
Recent Developments
CRMC discovered the ransomware attack on July 14, 2025 when unusual network activity caused a technical outage. The hospital reported the incident publicly on July 15, 2025, secured systems with assistance from outside cybersecurity experts, and notified law enforcement. The Rhysida ransomware-as-a-service group claimed responsibility on August 2, 2025 by listing CRMC on its dark-web leak site and demanding a ransom of 10 Bitcoin (worth approximately \$1.15 million at the time). Rhysida subsequently published the stolen data freely after failing to find a buyer. CRMC mailed breach notification letters to affected individuals on April 14, 2026, approximately nine months after detection. The hospital is offering twelve months of complimentary identity theft protection through Experian.
Data Points Exposed
4 verified field types
Email Address
Phone Number
Physical Address High
Social Security Number Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Identity theft and synthetic identity construction using government-issued IDs
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat vectors:
- Phishing, credential stuffing & account takeover
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
- Full identity theft & synthetic identity fraud
Threat Actor: Rhysida
Rhysida
Ransomware
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware.
Recommended Actions
If you believe your information may be included:
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Cookeville Regional Medical Center breach?▾
Cookeville Regional Medical Center, a 309-bed hospital in Cookeville, Tennessee, suffered a ransomware attack between July 11 and July 14, 2025. The hospital discovered the incident on July 14 when the attack caused a technical outage of computer systems. The Rhysida ransomware-as-a-service group…
What data was exposed?▾
Verified fields include Email Address, Phone Number, Physical Address, Social Security Number.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation