Kettering Health Hit by Interlock Ransomware: Patient Data Stolen & Services Disrupted

The Kettering Health network—encompassing hospitals, clinics, and medical centers throughout the state of Ohio—has yet to recover from a devastating incident: two weeks ago, a ransomware attack brought the organization’s digital infrastructure to a standstill. The assault has been claimed by the Interlock group, which surfaced on a dark web forum asserting responsibility and claiming access to 940 gigabytes of internal data.

Interlock’s alleged involvement was first reported on May 20, when CNN highlighted the group as a likely perpetrator. At the time, however, Interlock had made no public statement. Such silence is typical of ransomware operators, who initially attempt to negotiate a ransom while threatening to leak stolen information. That Interlock later openly claimed responsibility suggests that negotiations collapsed and the victim refused to pay.

Kettering Health had previously confirmed that it declined to meet the attackers’ demands. John Weimer, Senior Vice President for Emergency Operations, told local media that the organization had rejected the ransom. A spokesperson for Kettering Health declined to comment when contacted by TechCrunch. Interlock also did not respond to an inquiry sent to the email address listed on the dark web.

Samples published by Interlock reveal that the hackers accessed a vast array of data from Kettering Health’s internal network. The leaked archive reportedly includes patient information—such as names, contact numbers, and detailed medical records annotated by physicians. These files document mental health conditions, prescribed medications, symptoms, and other sensitive personal health data. In addition, the breach encompasses employee documents, shared folder contents, and even files related to law enforcement personnel from the medical center’s internal security department, including background questionnaires, polygraph results, and other confidential records.

On June 2, Kettering Health released a recovery update, stating that it had restored critical components of its electronic medical records system maintained by Epic. The organization hailed this as a major milestone toward resuming normal operations, enabling staff not only to update and access medical records but also to reestablish internal coordination and clinical collaboration.

Despite this progress, Kettering Health continues to rebuild its infrastructure in the aftermath of the attack. Meanwhile, Interlock is positioning itself as a formidable force capable of disrupting even the most vital systems—such as regional healthcare networks. Active since September 2024, the group has concentrated its efforts on the U.S. healthcare sector. Its emergence serves as a sobering reminder of how vulnerable medical institutions remain in the face of cyber threats—particularly when the stakes involve not just data, but human health and life itself.