Kettering Health 2025 Data Breach

Kettering Health Faith-Based Hospital System Breach (2025): 1.7M Patient & Employee Records Including Medical, SSN & Financial Data Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

InterlockRansomware / ExtortionMedicalClinical NotesDate of BirthEmail AddressFinancial AccountFull NameGovernment IDHealth Insurance
High SeverityWebsite / service breach

Kettering Health Faith-Based Hospital System Breach (2025): 1.7M Patient & Employee Records Including Medical, SSN & Financial Data Exposed

Faith-based healthcare system operating hospitals and outpatient facilities.

Verified by ObscureIQ Intelligence
82/100Breach Risk Index
78Data Value
25Market Recency
387dSince Breach

Breach Intelligence Summary

Entity: Kettering Health · Actor: Interlock · Sources: 2 references
Attack: Ransomware / Extortion
Profile: Healthcare provider · Hospital and clinical care services · Integrated health system · USA
Timeline: Breach (2025-05-20) · Indexed (Jun 16, 2025) · Year (2025)
Exposure: 1.7M records · 14 fields: Clinical Notes, Date of Birth, Email Address, Financial Account, Full Name, Government ID, Health Insurance, Medical Diagnosis, Medical Record Number, Medication, Mental Health Notes, Phone Number, Physical Address, Social Security Number
Status: Confirmed

Executive Summary

Interlock gained access to Kettering Health on April 9, 2025 and, after 41 days, deployed ransomware on May 20, 2025, triggering a system-wide outage that forced paper charting and some ambulance diversions. Interlock claimed exfiltration of about 941 GB (roughly 732,000 files) and published stolen data after Kettering declined to pay. Leaked samples reviewed by researchers included patient names, medical record numbers, clinical summaries, medication lists, mental-health notes, insurance and pharmacy documents, and scans of identity documents and payroll files for employees; reported PII also includes DOB, SSN, and payment-card/banking data. Kettering confirmed 1,695,382 individuals affected on the HHS OCR portal and began notifications in early 2026, noting a file-by-file review and that only a subset of patients had the most sensitive data exposed.

ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.

Breach Impact

The breach compromised a broad set of clinical, identity, and financial data (medical records, mental-health notes, medication lists, Social Security numbers, insurance, and payment/banking data) for roughly 1.7 million patients, plus HR/payroll and ID-document data for employees. The scale and sensitivity create severe medical-fraud, identity-theft, financial-fraud, and extortion risk, compounded operational disruption to patient care, and generated significant litigation and reputational exposure.

About Kettering Health

Kettering Health is a not-for-profit, faith-based (Adventist) integrated health system in western Ohio, operating roughly 14 hospitals and more than 120 outpatient sites. It provides emergency, surgical, imaging, pharmacy, and outpatient care using the Epic electronic health record, maintaining extensive patient clinical, insurance, and billing records as well as employee HR and payroll data.

Why They Hold Your Data

Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, specialty care, and administrative operations.

Recent Developments

A May 20, 2025 ransomware attack caused a system-wide outage; Kettering restored core Epic functions by early June and declared normal operations on June 13, 2025. It initially reported a placeholder of 501 affected individuals to HHS in July 2025, then confirmed the total at 1,695,382 and began mailing patient notifications in early 2026. A class-action lawsuit was filed in Montgomery County in June 2025.

Data Points Exposed

14 verified field types
Clinical Notes
Date of Birth High
Email Address
Financial Account
Full Name High
Government ID Critical
Health Insurance
Medical Diagnosis Critical
Medical Record Number
Medication
Mental Health Notes
Phone Number
Physical Address High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Medical identity fraud and insurance abuse using clinical, medication, and insurance data
  • Identity theft and synthetic identity construction using SSN, DOB, and ID documents
  • Financial fraud using exposed payment-card/banking data
  • Extortion using mental-health notes and sensitive diagnoses
  • Employee-directed HR/payroll fraud and social engineering
  • Targeted phishing/vishing and fraudulent medical-bill scams
  • Doxxing and physical targeting from exposed home addresses
Threat vectors:
  • Medical extortion, insurance fraud & discrimination
  • Full identity theft & synthetic identity fraud
  • Financial account & payment card fraud
  • Mental-health-based extortion & blackmail
  • Employee/HR-targeted social engineering
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: Interlock

Interlock
Ransomware / Extortion

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the Kettering Health breach?

Interlock gained access to Kettering Health on April 9, 2025 and, after 41 days, deployed ransomware on May 20, 2025, triggering a system-wide outage that forced paper charting and some ambulance diversions. Interlock claimed exfiltration of about 941 GB (roughly 732,000 files) and published stolen…

What data was exposed?

Verified fields include Clinical Notes, Date of Birth, Email Address, Financial Account, Full Name, Government ID, Health Insurance, Medical Diagnosis, Medical Record Number, Medication, Mental Health Notes, Phone Number, Physical Address, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation