Ransomware Attack Exposes Data of 337,917 Patients at Cookeville Regional Medical Center

Cookeville Regional Medical Center is a Tennessee‑based hospital serving thousands of inpatient and outpatient patients each year. On July 14, 2025 the organization filed a notice with the Maine Attorney General confirming that an unauthorized party had accessed its network. The intrusion window lasted three days, during which files were viewed or copied.

- 337,917 individuals had personal information potentially compromised, including full names, Social Security numbers, dates of birth, driver’s license numbers, medical treatment details, health insurance data, and financial account information. Among them were 22 Maine residents. - The attack vector was spearphishing emails with malicious attachments (MITRE ATT&CK T1566.001). After initial access, attackers used valid accounts to move laterally (T1078) and deployed ransomware to encrypt data (T1486). - CRMC launched an internal investigation, engaged a forensic security firm, and concluded the review on March 16, 2026. The hospital began mailing notification letters and offered one year of free identity‑protection services.

The exposure of Social Security numbers and financial data raises the risk of identity theft and fraud for affected patients. Healthcare organizations face potential HIPAA penalties, class‑action litigation, and reputational damage. The incident underscores the continued targeting of hospitals by ransomware groups seeking high‑value data, and the financial impact remains under review.

- Apply the latest security patches for internet‑facing services, prioritizing CISA’s Known Exploited Vulnerabilities catalog. - Enforce multi‑factor authentication on all remote access and privileged accounts. - Deploy advanced email filtering to block spearphishing attachments and URLs. - Segment networks and restrict lateral movement using zero‑trust principles. - Maintain offline, encrypted backups and test restoration procedures quarterly. - Review and tighten privileged account policies to limit abuse of valid credentials. - Monitor for MITRE techniques T1566, T1078, and T1486 using SIEM rules based on CISA’s Ransomware Guidance.