Incident Overview On May 20 2025 , Kettering Health-a not-for-profit network of 14 hospitals and 120+ outpatient sites in western Ohio-discovered a ransomware attack that triggered a “system-wide technology outage.” Phone lines the Epic electronic health-record (EHR) system scheduling platforms and other clinical applications were abruptly encrypted forcing clinicians to revert to paper charts and reroute some ambulances. Emergency rooms however stayed open under downtime protocols. Kettering immediately initiated its incident-response playbook: it segmented affected networks pulled critical servers offline and brought in third-party forensics specialists while notifying federal law-enforcement partners. By June 2 -less than two weeks later-the core components of Epic were back online and on June 13 the organization declared “normal operations” for key services such as surgery imaging retail pharmacy and outpatient visits. Discovery and Containment The June 5 status report confirmed that investigators had “eradicated all of the ransomware group’s tools and persistence mechanisms ” applied emergency patches and hardened segmentation access-control and monitoring rules across its environment. More than 200 internal IT and clinical personnel-along with Epic engineers-worked around the clock to rebuild infrastructure and clear backlogs of manually captured patient data. Data-Exposure Claims Emerge On June 4 2025 the Interlock ransomware gang publicly claimed responsibility boasting on its leak site that it had exfiltrated about 941 GB-roughly 732 000 files stored in 20 000 folders -before launching encryption. Early leaked samples reviewed by journalists and researchers included:

Patient names medical-record numbers clinical summaries medication lists mental-health notes Scans of identity documents and payroll files for employees Financial revenue reports insurance files blood-bank and pharmacy documents When negotiations stalled Interlock began publishing portions of the haul on the dark web. Kettering acknowledged the postings but emphasized that only “a small subset” of patient data appears affected and that a file-by-file review is under way to determine whose information was involved. Impact on Patients The breach’s immediate operational fallout was significant:

Diversions & cancellations: Several facilities temporarily diverted ambulances and cancelled elective procedures the week of May 20. Communication outages: Phone lines and the MyChart patient portal were intermittently unusable until mid-June. Scam activity: Kettering warned of fraudulent calls demanding credit-card payments for medical bills and advised patients to hang up and contact police. Based on leaked samples and court filings the following categories of personally identifiable information (PII) may have been compromised: Full name Date of birth & Social Security number Health-insurance details Clinical notes / diagnosis information Payment-card or banking data Employee HR and payroll records Not every individual’s data was exposed; you can search DataBreach.com’s lookup tool to check specific records. Separately a class-action lawsuit filed in Montgomery County on June 16 alleges that Kettering’s security controls were inadequate and that service disruptions caused missed appointments-even for oncology and orthopedic patients. Kettering Health’s Ongoing Investigation Kettering says its forensic investigation “remains active.” Notices will be mailed directly to affected individuals including offers of credit-monitoring or identity-theft protection where warranted. The health system is also collaborating with vendors to tighten network segmentation and implement additional zero-trust controls, while law-enforcement agencies pursue Interlock.