Cookeville Regional Medical Center: Rhysida Ransomware Breach

Cookeville Regional Medical Center (CRMC), a 309-bed hospital serving Tennessee's Upper Cumberland region, has confirmed that a July 2025 Rhysida ransomware intrusion compromised the personal and medical data of 337,917 patients. The disclosure, filed with the Maine Attorney General's Office, ranks the incident as the eighth-largest US healthcare ransomware breach of 2025 by record count.

What Happened

An unauthorized party accessed and acquired files from CRMC's network between July 11 and July 14, 2025. The Russia-linked Rhysida ransomware-as-a-service operation, active since May 2023, claimed responsibility on August 2, 2025, demanding 10 Bitcoin (approximately $1.15 million at the time) and posting sample files on its dark web leak site. CRMC began mailing breach notification letters on April 14, 2026, roughly nine months after the intrusion was detected. It remains unclear whether any ransom was paid.

What Was Taken

The compromised dataset spans a wide range of highly sensitive identifiers and clinical records. Information potentially exposed includes:

Full names, addresses, and dates of birth
Social Security numbers
Driver's license numbers
Financial account details
Medical record numbers
Treatment information
Health insurance data

With 337,917 individuals affected and the hospital serving roughly 250,000 patients annually across 14 counties, the breach population likely includes both current patients and historical records. CRMC is offering 12 months of complimentary identity theft protection through Experian to those impacted.

Why It Matters

Rhysida has emerged as one of the most aggressive threat actors targeting the US healthcare sector. The group claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average demand of $1.2 million. Recent healthcare victims tracked alongside CRMC include:

Florida Lung, Asthma & Sleep Specialists (FL), May 2025, $639,000 demand
MedStar Health (MD), September 2025, $3.09 million demand
Spindletop Center (TX), September 2025, $1.65 million demand
MACT Health Board (CA), November 2025, $662,000 demand
Heart South Cardiovascular Group (AL), November 2025, $630,000 demand

The CRMC disclosure also illustrates a broader pattern documented by Comparitech, which logged 134 confirmed ransomware attacks on US healthcare providers in 2025, exposing 11.7 million records. The nine-month gap between intrusion and notification highlights an industry-wide problem: prolonged investigation timelines leave patients exposed to identity theft and phishing campaigns long before they are even aware of the risk.

The Attack Technique

Public filings do not disclose the initial access vector for the CRMC intrusion. Rhysida operators have historically gained entry through phishing campaigns, exploitation of internet-facing services, and the use of valid credentials acquired from initial access brokers. The group has previously been linked to Vice Society in joint analysis by threat researchers, and typically follows a double-extortion model: encrypting victim systems while exfiltrating data to pressure payment via dark web leak listings. The four-day dwell window observed at CRMC (July 11 to July 14) is consistent with Rhysida's pattern of rapid reconnaissance, lateral movement, and staged data exfiltration before deployment of the encryptor.

What Organizations Should Do

Healthcare organizations operating in environments comparable to CRMC should treat this incident as a prompt for the following defensive actions:

Harden identity and access: Enforce phishing-resistant MFA on all remote access, VPN, and administrative interfaces; audit for dormant or shared accounts that Rhysida operators commonly leverage.
Hunt for Rhysida TTPs: Review endpoint and network telemetry for indicators tied to Rhysida tooling, including PsExec, AnyDesk, and PowerShell-based reconnaissance, particularly across clinical and EHR-adjacent systems.
Segment clinical networks: Isolate medical devices, imaging systems, and EHR backend infrastructure from general corporate IT to constrain lateral movement following an initial compromise.
Validate offline backups: Maintain immutable, air-gapped backups of patient records and verify restoration procedures under realistic ransomware scenarios.
Accelerate breach investigation capability: Pre-stage incident response retainers and forensic readiness so that scoping and notification do not stretch into a nine-month exposure window.
Monitor leak sites: Track Rhysida's dark web portal and credential dumps for organizational data, partner exposure, and patient identifiers that may surface in downstream phishing campaigns.

Sources: Cookeville Hospital Discloses Rhysida Breach Hitting 337,917 - CyberMind