Rhysida Ransomware Exposes 337,000 Patient Records at Cookeville Regional Medical Center

Rhysida ransomware has compromised data belonging to approximately 337,000 patients at Cookeville Regional Medical Center (CRMC), with attackers claiming the theft of 538 gigabytes of sensitive information. The breach underscores persistent cybersecurity challenges for healthcare providers.

Cookeville Regional Medical Center (CRMC) in Tennessee recently confirmed a significant data breach impacting hundreds of thousands of individuals. This incident involved the Rhysida ransomware group, known for its data exfiltration and extortion tactics.

An unauthorized party accessed CRMC's network between July 11 and July 14, 2025. During this period, a forensic investigation determined that the attackers viewed or stole files containing patient data. This finding provided clarity on the intrusion's scope and timeline.

Rhysida, a ransomware-as-a-service (RaaS) group, later claimed responsibility for the attack. The group posted CRMC on its data leak site, asserting it had exfiltrated 538 gigabytes of data from the medical center's systems. This volume indicates a broad collection of sensitive material.

The breach directly impacted approximately 337,000 individuals. Exposed data could include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, and various medical and health insurance information. CRMC is notifying affected individuals directly.

This incident illustrates the growing threat ransomware groups pose to critical infrastructure, particularly healthcare. Groups like Rhysida often leverage initial access brokers or exploit known vulnerabilities (CVEs) to gain entry, then move laterally to exfiltrate data before deploying ransomware. Non-payment of a ransom demand frequently leads to public data leaks, increasing patient risk.

**What Defenders Should Do:** Healthcare organizations must prioritize robust cybersecurity defenses. Implement multi-factor authentication across all systems and regularly patch vulnerabilities, especially those listed in the CISA KEV (Known Exploited Vulnerabilities) catalog. Network segmentation can limit lateral movement during an attack. Regular security awareness training for staff on phishing and social engineering remains crucial. Incident response plans require frequent testing to ensure rapid detection and containment capabilities. Patients should monitor credit reports and account statements for suspicious activity and enroll in identity theft protection services offered post-breach.

Organizations must remain proactive in implementing advanced threat detection and prevention strategies as cyber adversaries continue to evolve their tactics.