Kettering Health is progressing in recovering from the ransomware attack it encountered on May 20, 2025. Although its EHR has been recovered, other IT systems are still offline. Its Ohio medical centers and outpatient services are still disrupted. Kettering Health reported restoring the central parts of its Epic electronic health record (EHR) system on June 2, 2025. Patient data can be input directly into electronic health records now. Patient data noted manually during the outage can be included in the patients’ digital records. With the EHR restored, care teams can communicate better and manage patient care faster.
Kettering Health has over 200 people from its IT and clinical team working around the clock with Epic, its software company, in the last two weeks. The repair of other IT systems is still ongoing, which includes its inbound and outbound phone lines and the MyChart patient portal. Kettering Health’s emergency departments are accepting patients now, and its primary care facilities are providing treatment services to walk-in care patients.
The breach investigation is not yet finished, but notification letters will be sent to the impacted persons in compliance with HIPAA Breach Notification laws. On May 30, 2025, Kettering Health sent an update to its employees, partners, and community members concerning scam communications, such as telephone calls, SMS, and email messages. These communications are intended to frighten, get a response, or assert data exposure. The public is advised to be cautious, not click hyperlinks, open file attachments, or answer communications. When contacted via phone call regarding the cyberattack, hang up right away. Report malicious or suspicious calls or messages to the police.
At the beginning of June, Kettering Health published an update confirming the theft of a small portion of patient information during the attack, but the scope of the data breach is not yet verified. Kettering Health did not name the ransomware group responsible for the attack, though CNN reported about a copy of a ransom note from the Interlock ransomware group.
Recently, Interlock professed responsibility for the ransomware attack, listed Kettering Health on its dark web data leak site, and published the stolen information, suggesting that the healthcare provider did not pay the ransom. The Interlock group states that 941 GB of data was stolen from Kettering Health before file encryption. The stolen information contains 732,490 files within 20,418 folders. Looking at the folder and file names, it seems that the stolen data includes payroll data, employee records, police security personnel records, scans of identity docs, Medicaid application files, financial income reports, company tax and insurance files, budget reports, pharmacy and blood bank records, and patient records.
Image credit: vetrana, AdobeStock / logo ©KetteringHealth
