Business Continuity Management / Disaster Recovery
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Ohio-Based Organization Says It’s Making Progress Restoring IT, Beefing Up Security
Cybercrime group Interlock has begun publishing some of the 941 gigabytes of data the gang claims to have stolen in a disruptive May attack on Kettering Health. The Ohio-based healthcare organization says it is making IT system restoration progress and enhancing cybersecurity, but is still recovering.
See Also: Top 10 Technical Predictions for 2025
Kettering Health in an updated statement on Thursday also acknowledged Interlock’s claims about the attack (see: Ohio Health System Responding to Cyberattack, Fraud Scams).
“On Tuesday, May 20, Kettering Health was impacted by a cybersecurity incident we have reason to believe was launched by the ransomware group Interlock,” Kettering said. “This prompted an immediate and comprehensive response to ensure the security of our systems and the integrity of our data.”
During the height of the IT outage, the attack affected patient care services, forcing Kettering to cancel elective inpatient and outpatient procedures. Kettering’s emergency rooms also had diverted patients to other medical facilities, but those diversions have now ended, Kettering said.
Interlock claims on the darkweb to have more than 732,500 files and 20,000 folders of stolen Kettering data. The gang has begun leaking some of the data on its leak site, including images of individuals’ driver’s licenses, passports and various Kettering financial and other business documents. Folders listed on Interlock’s leak site allegedly containing Kettering’s data also include titles such as “pharmacy surgery,” “EOBs,” “Medicaid applications,” “blood bank” and “police-security personnel.”
“Interlock’s claim of stealing over 940 GB of data from Kettering Health shows the group’s growing technical maturity and ambition,” said Scott Weinberg, CEO and founder of managed services firm Neovera. “While the volume of stolen data is notable, it’s the diversity of the data, spanning thousands of folders and hundreds of thousands of files, that poses the greatest concern for victim organizations,” he said.
Interlock is a relative newcomer to the ransomware scene, and what sets it apart from many other cybercrime gangs is its focus on maximizing visibility and leverage during the extortion phase, Weinberg said.
“They’ve demonstrated an almost marketing-driven approach to amplifying fear and urgency with victims and the public,” he said. “That behavioral pattern, along with large-scale data exfiltration, points to a calculated strategy, not just an opportunistic attack.”
Kettering did not immediately respond to Information Security Media Group’s request for comment on the Interlock data leak claims.
More Work Ahead
Meantime, on Monday, Kettering said it was making progress restoring various IT systems, including its Epic electronic health record system, affected by the attack.
“Over 200 individuals – including Kettering health information systems team and clinical team members as well as partners from Epic – worked to reach this point,” Kettering said. “This launch reestablishes Kettering Health’s ability to update and access electronic health records, facilitate communication across care teams and coordinate patient care with greater speed and clarity.”
Kettering said it is still working on restoring its MyChart patient portal and its “online in- and outbound calling to Kettering Health facilities and practices.”
As of Thursday, Kettering said it also reached other important milestones in its system-wide restoration. That includes:
- Completing threat removal, including eradication of “the tools and persistence mechanisms used by the third-party group”;
- Reviewing and implementing security enhancements, including network segmentation, improved monitoring and updated access controls;
- Assessing and patching vulnerabilities, including ensuring that all software updates are in place.
“We are confident that our cybersecurity framework and employee security training are sufficient to mitigate future risks,” Kettering said.
“We have strong confidence that our network-connected devices are secure, and our connections to our partners are fully protected,” the statement said. “Our primary focus has shifted to ensuring that patients can reliably communicate, schedule and receive all types of care from Kettering Health.”
Affiliated with the Seventh-day Adventist church, Kettering operates 14 medical centers and more than 120 outpatient facilities in Western Ohio, and has more than 1,800 physicians and 15,000 employees.
Ransomware attacks on healthcare providers like Kettering are “designed to hurt – to disrupt operations, to create chaos, to squeeze victims for cash when they’re in their most desperate hour,” said Jon Miller, co-founder and CEO of security firm Halcyon.
“But when that chaos hits a hospital, it’s not just some IT headache or an inconvenient return to pen and paper, it’s a public health crisis. You’re talking about delayed treatments, canceled surgeries and patients who can’t get the care they need,” he said. “Real patients are paying the price.”
In addition to dealing with the IT outage and data theft situation, Kettering has been warning patients, employees and the community at-large about targeted scams involving the incident.
“These may include fraudulent emails, calls or text messages designed to intimidate, demand a response or claim data exposure,” Kettering said in a statement last week.
“We urge the public to exercise caution. If you receive suspicious communications, do not respond, click links, or open attachments; hang up immediately if contacted by phone, report suspicious messages to the police.”
