Faith-based healthcare system operating hospitals and outpatient facilities.
Interlock gained access to Kettering Health on April 9, 2025 and, after 41 days, deployed ransomware on May 20, 2025, triggering a system-wide outage that forced paper charting and some ambulance diversions. Interlock claimed exfiltration of about 941 GB (roughly 732,000 files) and published stolen data after Kettering declined to pay. Leaked samples reviewed by researchers included patient names, medical record numbers, clinical summaries, medication lists, mental-health notes, insurance and pharmacy documents, and scans of identity documents and payroll files for employees; reported PII also includes DOB, SSN, and payment-card/banking data. Kettering confirmed 1,695,382 individuals affected on the HHS OCR portal and began notifications in early 2026, noting a file-by-file review and that only a subset of patients had the most sensitive data exposed.
ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.
The breach compromised a broad set of clinical, identity, and financial data (medical records, mental-health notes, medication lists, Social Security numbers, insurance, and payment/banking data) for roughly 1.7 million patients, plus HR/payroll and ID-document data for employees. The scale and sensitivity create severe medical-fraud, identity-theft, financial-fraud, and extortion risk, compounded operational disruption to patient care, and generated significant litigation and reputational exposure.
Kettering Health is a not-for-profit, faith-based (Adventist) integrated health system in western Ohio, operating roughly 14 hospitals and more than 120 outpatient sites. It provides emergency, surgical, imaging, pharmacy, and outpatient care using the Epic electronic health record, maintaining extensive patient clinical, insurance, and billing records as well as employee HR and payroll data.
Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, specialty care, and administrative operations.
A May 20, 2025 ransomware attack caused a system-wide outage; Kettering restored core Epic functions by early June and declared normal operations on June 13, 2025. It initially reported a placeholder of 501 affected individuals to HHS in July 2025, then confirmed the total at 1,695,382 and began mailing patient notifications in early 2026. A class-action lawsuit was filed in Montgomery County in June 2025.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.
If you believe your information may be included:
Interlock gained access to Kettering Health on April 9, 2025 and, after 41 days, deployed ransomware on May 20, 2025, triggering a system-wide outage that forced paper charting and some ambulance diversions. Interlock claimed exfiltration of about 941 GB (roughly 732,000 files) and published stolen…
Verified fields include Clinical Notes, Date of Birth, Email Address, Financial Account, Full Name, Government ID, Health Insurance, Medical Diagnosis, Medical Record Number, Medication, Mental Health Notes, Phone Number, Physical Address, Social Security Number.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation