Kettering Health operates 120 outpatient facilities and 14 medical centers in western Ohio. On May 20, 2025, it encountered organization-wide technology downtime that impacted 14 medical centers and call center operations. The disturbance caused critical IT systems to be inaccessible, so the health system decided to cancel booked inpatient and outpatient treatments.
The medical centers stayed open and accepted patients in the emergency rooms. The hospital personnel followed downtime procedures and used pen and paper to document patient data while the IT systems were not available. The IT team worked 24 / 7 to check into the incident and securely restore systems online. Kettering Health’s announcement on its website states that there are procedures and protocols (required before getting HIPAA certification) in case of these types of circumstances and that patients can still get safe, high-quality care in their facilities.
Based on CNN, which secured a copy of a ransom note, the Interlock ransomware group was behind the attack. The threat group is known for targeting the healthcare sector with its double extortion attacks. The Interlock ransomware group attacks systems, determines the data of interest, extracts files, and deploys ransomware for file encryption. The ransom should be paid to avoid the exposure of the stolen information on its dark web data leak website and to get the data decryption keys. Interlock was responsible for the ransomware attack involving the Brockton Neighborhood Health Center in Massachusetts, the kidney dialysis service provider Davita, Texas Tech University Health Sciences Center, and the Drug and Alcohol Treatment Service in Pennsylvania.
Interlock first appeared in October 2024, and had 16 confirmed ransomware attacks, although 17 are still unconfirmed. The ransomware group also claimed responsibility for the attack on West Lothian Council, UK, which interrupted its school system for over a week. The Kettering Health attack is still in its beginning stages, but data theft is very probable, and Interlock will likely leak the information if no ransom payment is given.
The investigation is not yet finished, and Kettering Health has no announcement yet concerning the extent of the breach or if patient information was stolen. The healthcare system stated that the disruption was the result of a cyberattack, but hasn’t confirmed the use of ransomware in the attack. The Interlock ransomware group says it obtained the most important files and will leak the stolen information if Kettering Health doesn’t pay the ransom.
After the announcement, Kettering Health released an alert regarding scam calls made by individuals misrepresenting Kettering Health team members asking for credit card payments for healthcare bills. Although it is normal for Kettering Health to speak with patients through phone calls regarding payment alternatives for medical expenses, as a safety precaution, the health system will not do so or accept payment by phone until additional information is provided.
