Cookeville Regional Medical Center (CRMC), a 309-bed hospital in Tennessee, has confirmed that a July 2025 ransomware attack by the Rhysida group compromised the personal and medical data of 337,917 patients. Breach notification letters began going out on April 14, 2026, more than nine months after the intrusion. The disclosure, filed with the Maine Attorney General's office, ranks as the eighth-largest ransomware breach affecting a US healthcare provider in 2025.

What Happened

On July 11, 2025, an unauthorized third party gained access to CRMC's internal network. The intrusion persisted for four days, from July 11 through July 14, during which attackers viewed or exfiltrated files containing patient data. The attack triggered a technical outage that disrupted hospital computer systems and forced IT teams and external incident responders into an emergency containment effort.

Within weeks of the attack, the Rhysida ransomware group publicly claimed responsibility. The group posted sample files from the breach on its dark web leak site and issued a ransom demand of $1,150,000. CRMC's breach notice states there is currently no evidence that patient data has been misused, though the nine-month gap between compromise and notification leaves a wide window of exposure.

What Was Taken

The compromised dataset potentially includes highly sensitive categories across 337,917 individuals:

• Social Security numbers
• Government-issued identification numbers
• Financial account information
• Medical treatment records and health data
• Other personally identifiable information (PII)

This combination of financial, identity, and health data represents the most dangerous class of breach for affected individuals. Medical records cannot be changed like a credit card number, making them a persistent vector for identity fraud, insurance scams, and targeted social engineering for years after exposure.

Who Is Rhysida

Rhysida is a ransomware-as-a-service (RaaS) operation first observed in mid-2023. The group has shown a consistent preference for targeting healthcare, education, and government organizations. Rhysida operators typically gain initial access through phishing campaigns or by exploiting exposed remote services, then deploy their eponymous encryptor after lateral movement and data exfiltration.

The group operates a double-extortion model: encrypting victim systems while simultaneously stealing data and threatening public release. In CRMC's case, Rhysida moved quickly from compromise to public claim, posting sample files to pressure the hospital into payment. CISA and the FBI issued a joint advisory on Rhysida in November 2023, warning specifically about its targeting of the healthcare and public health sector.

Why It Matters

This incident highlights three persistent failures in healthcare cybersecurity posture:

Notification lag remains systemic. Nine months between breach and patient notification is not unusual in healthcare, but it is deeply problematic. Affected individuals had no opportunity to take protective action during the period when their stolen data was most likely to be monetized on criminal marketplaces.

Healthcare remains a soft, high-value target. Hospitals operate under pressure to maintain uptime for patient care, which ransomware operators exploit as leverage. The data they hold is uniquely valuable on dark web markets, where medical records sell for significantly more than financial credentials alone.

Rhysida continues to operate with impunity. Despite federal advisories and public attention, the group shows no signs of slowing its campaigns against critical infrastructure. Each successful healthcare hit validates the playbook and funds further operations.

Rebecca Moody, Head of Data Research at Comparitech, noted that the full scope of these attacks often takes months or years to determine, adding that CRMC should be recognized for the thoroughness of its investigative approach.

The Attack Technique

Based on known Rhysida TTPs and the details available from this incident:

• Initial access likely involved phishing or exploitation of an externally facing service. Rhysida has historically leveraged valid credentials obtained through phishing or purchased from initial access brokers.
• Lateral movement occurred across CRMC's network over the four-day intrusion window (July 11-14), with attackers identifying and staging sensitive files for exfiltration.
• Data exfiltration preceded or accompanied the ransomware deployment, consistent with Rhysida's double-extortion model.
• Ransomware deployment disrupted hospital computer systems, causing a multi-day technical outage.
• Extortion followed rapidly, with Rhysida publicly claiming the attack, posting sample data, and demanding $1,150,000.

The speed from initial compromise to public claim suggests either a well-rehearsed operational playbook or prior reconnaissance of the target environment.

What Organizations Should Do

• Audit external attack surface immediately. Identify and patch all internet-facing services, particularly VPNs, RDP endpoints, and web applications. Rhysida frequently exploits known vulnerabilities in perimeter infrastructure.
• Enforce phishing-resistant MFA across all accounts. SMS and app-based OTP are not sufficient against credential theft operations that feed groups like Rhysida. Deploy FIDO2/WebAuthn where possible.
• Segment networks to limit lateral movement. Clinical systems, administrative networks, and data stores should not share flat network paths. Containment failures turned a four-day intrusion into a 337K-record breach.
• Implement and test offline backup recovery. Ransomware leverage evaporates when organizations can restore operations without paying. Backups must be immutable, tested regularly, and stored offline or in isolated environments.
• Establish and rehearse a breach notification plan. Nine months is too long. Organizations should have pre-drafted notification templates and legal workflows ready to deploy within regulatory timelines.
• Monitor for stolen data on dark web marketplaces. Given that Rhysida posted sample files publicly, affected organizations and individuals should assume data is circulating and act accordingly.

Sources: Cookeville hospital notifies 337K after hack - Cybernews