Nearly a year after being hit by ransomware, the Cookeville Regional Medical Center (CRMC) in Tennessee is finally notifying more than 337,000 patients that their sensitive medical data – plus Social Security numbers, government IDs, and financial information – was compromised during the four-day attack.
-
Patients at a major Tennessee hospital are only now being told their sensitive data was caught up in last year’s ransomware attack.
-
The exposed data may include Social Security numbers, government IDs, financial account details, and treatment information – the kind of records that can create long-term fallout for patients.
-
Rhysida claimed the attack within weeks, posted sample files online, and demanded $1,150,000 – showing how quickly a hospital ransomware hit can escalate.
The 309-bed regional hospital began sending out breach notification letters to affected patients on Tuesday, along with a lengthy update about the July 11th attack posted on its website.
“Cookeville Regional Medical Center determined that an unauthorized third party accessed CRMC’s computer network and viewed or acquired certain files between July 11th, 2025, and July 14th, 2025,” it said, adding that upon discovering the “suspicious activity,” IT teams and outside specialists worked tirelessly to secure its systems.
This means the personal health data of 337,917 individuals was potentially at risk for more than nine months before being notified – although the hospital says there is no evidence patient information “has been misused as a result of the incident.”
Rebecca Moody, Head of Data Research at Comparitech, notes that the Cookeville data breach is “the eighth-largest on a US healthcare provider following a ransomware attack in 2025,”
She explains that oftentimes its not fully understood how extensive these attacks are until months (or sometimes years) after the event.
“It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches, which is why CRMC needs to be applauded for how it approached this attack,” Moody says.
Rhysida posted sample files
The Cookeville ransomware attack itself led to a technical outage, disrupting some of the medical center’s computer systems – although the impact to patient care was deemed limited at the time, the April 14th notice stated.
Barely two weeks after the breach, Rhysida, a seasoned ransomware group linked to Russia, had posted more than a dozen samples of the alleged data on its dark leak site, threatening to sell the full cache if the healthcare organization refused to cough up a $1,150,000 extortion demand.
It’s unclear if that ransom demand was ever paid, or if the data was eventually sold.
“From the outset, CRMC has been honest about the nature of the incident and was open about the fact it had fallen victim to a ransomware attack at the time,” Moody pointed out.
“The medical center also confirmed that data had been breached within a couple of months of the attack taking place, while its investigations into exactly who had been involved were ongoing,” she added.
What data was stolen?
The Cookeville Regional Medical Center serves about 250,000 patients annually across 14 counties in the Upper Cumberland region of Tennessee, extending into Kentucky.
According to its website, CRMC has over 2,500 employees, 175 physicians, and offers more than 40 medical and surgical specialties.
According to a “comprehensive review of the affected files,” CRMC says the personal information of certain individuals was accessed by the attackers.
This information may include:
- Name
- Address
- Date of birth
- Social Security number
- Driver’s license number
- Financial account number
- Medical treatment information
- Medical record number
- Health insurance policy information
Unfortunately, only those patients with a current/valid address on file with the medical center will receive a copy of the breach notification.
Still, Moody says that while some organizations avoid using the word “ransomware” and don’t issue any form of data breach notification for months, this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns.
“Hopefully, many of the people impacted in this breach were aware of the attack in its early stages, so the letters being issued now are more of a formality than a shock,” Moody said.
Hospital offers free identity protection
CRMC is offering complimentary identity theft protection services for those individuals whose Social Security numbers and/or driver’s license numbers were involved in the incident, the healthcare organization said.
Officials also recommend that affected individuals be vigilant against potential phishing attacks and/or identity theft by reviewing their account statements and monitoring credit reports closely.
Anyone detecting fraud should immediately notify the financial institution or company behind the accounts, while also reporting the suspicious activity to law enforcement authorities and their state’s attorney general, it said.
CRMC says it is “committed to maintaining the privacy and security” of its patients and is taking “additional security measures” to prevent similar events from happening in the future.
Unlock more exclusive Cybernews content on YouTube.
Click Here For The Original Source.
