Cookeville Regional Medical Center Confirms Data Breach Following Ransomware Attack

On Sept. 12, 2025, Cookeville Regional Medical Center (CRMC), a major hospital serving the Upper Cumberland region of Tennessee, disclosed a data breach to the U.S. Department of Health and Human Services (HHS). The total number of people affected has yet to be determined, as evidenced by the HHS breach portal using a placeholder number of 500 individuals impacted.

The breach was the result of a ransomware attack carried out by the RHYSIDA group, which publicly claimed responsibility for the incident on Aug. 2, 2025, via a posting on the Tor network, otherwise known as the dark web. The attack involved unauthorized access to CRMC’s systems, during which the threat actors claimed to have exfiltrated sensitive data. The group threatened to publish the stolen information within six to seven days of their announcement.

The nature of the data exposed in this breach has not been fully detailed by CRMC or HHS as of this writing. However, given the hospital’s role as a healthcare provider and the context of the breach, it is likely that both personally identifiable information (PII) and protected health information (PHI) were compromised. This may include names, addresses, dates of birth, Social Security numbers, medical records, and possibly insurance details.

The severity of this breach is heightened by the fact that ransomware actors not only encrypted files but also threatened to release patient data on the dark web, increasing the risk of identity theft and other forms of fraud for those affected.

Cookeville Regional Medical Center's response

In the wake of the ransomware attack, CRMC has taken steps to secure its network and investigate the incident. While specific details about their mitigation efforts have not been publicly disclosed, it is standard practice for organizations in this situation to work with cybersecurity experts to contain the breach, assess the scope of the data exposure, and restore affected systems.

Individuals who believe they may be affected by this breach should remain vigilant for signs of identity theft or fraud. It is advisable to monitor credit reports, review medical statements for unfamiliar charges, and be cautious of unsolicited communications that may attempt to exploit the situation. If CRMC offers credit monitoring or identity protection services, affected individuals should take advantage of these resources.