Cookeville Regional Medical Center Ransomware Attack Exposes Data of 337,917 Patients
Cookeville Regional Medical Center in Tennessee has begun notifying 337,917 patients that their personal and medical data was stolen in a July 2025 ransomware attack carried out by the Rhysida group.
Cookeville Regional Medical Center (CRMC) in Tennessee has begun notifying 337,917 patients that their personal and medical data was compromised in a ransomware attack that occurred in July 2025. The 309-bed facility started mailing breach notification letters on April 14, 2026, nearly nine months after the intrusion was first detected, according to a filing with the Maine Attorney General's Office.
The Rhysida ransomware-as-a-service operation, which has been active since May 2023 and is linked to Russia, claimed responsibility for the attack on August 2, 2025. The gang demanded a ransom of 10 Bitcoin, worth approximately $1.15 million at the time, and posted sample files on its dark web leak site to pressure the hospital into paying. It remains unclear whether any ransom was paid.
The unauthorized access occurred between July 11 and July 14, 2025, during which files containing sensitive patient information were accessed or acquired. Exposed data may include names, addresses, dates of birth, Social Security numbers, driver's license numbers, financial account details, medical record numbers, treatment information, and health insurance data. CRMC is offering 12 months of free identity theft protection through Experian to affected individuals.
The CRMC incident ranks as the eighth-largest U.S. healthcare ransomware breach of 2025 by records compromised, according to Comparitech. The research firm logged 134 confirmed ransomware attacks on U.S. healthcare providers last year, exposing a total of 11.7 million records. Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average ransom demand of $1.2 million.
Rebecca Moody, head of data research at Comparitech, noted that the lengthy investigation timeline reflects the extensive forensic work required after a hospital ransomware incident. "It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches," Moody explained. She added that while some organizations avoid using the word 'ransomware' and delay breach notifications, this lack of clarity can leave affected individuals vulnerable to identity theft and phishing campaigns.
Ransomware attacks on U.S. hospitals routinely cause extended downtime, canceled appointments, and patient diversions, even when clinical systems remain operational. CRMC has stated that it has implemented additional security measures since the attack to prevent future incidents. The breach underscores the persistent threat that ransomware groups like Rhysida pose to the healthcare sector, where sensitive data and critical operations make hospitals prime targets.