Tennessee Hospital Confirms Massive Data Breach Affecting Over 337,000 Patients

Cookeville Regional Medical Center (CRMC), a 289-bed hospital and multi-site healthcare provider in Tennessee, has confirmed a significant data breach stemming from a Rhysida ransomware attack. The incident, discovered in July 2025, exposed the sensitive personal and medical information of more than 337,000 individuals — and the stolen data has since been published online for anyone to download.

Timeline of the Attack

According to CRMC's official data breach notice, the hospital detected unauthorized network access on July 14, 2025. A subsequent forensic investigation revealed that threat actors had been exfiltrating files in the days prior to discovery — a common tactic used by ransomware groups to maximize leverage before deploying encryption or making extortion demands.

By August 2025, the Rhysida ransomware group had listed CRMC on their public leak website, demanding 10 bitcoin — valued at approximately $1 million at the time — in exchange for not releasing the stolen data. When no buyer materialized, the group reportedly made the entire dataset freely available for download.

What Data Was Compromised?

The breadth of data stolen in this breach is particularly alarming given the sensitive nature of healthcare records. CRMC disclosed that compromised information may include:

• Full names and dates of birth
• Home addresses
• Social Security numbers (SSNs)
• Driver's license numbers
• Financial account numbers
• Medical treatment information
• Health insurance policy information

Rhysida claims to have stolen more than 370,000 files totaling 500 GB of data. The combination of financial identifiers and protected health information (PHI) creates an exceptionally high risk profile for affected individuals, who may face identity theft, insurance fraud, and medical identity theft for years to come.

Who Is the Rhysida Ransomware Group?

Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in mid-2023 and has repeatedly targeted the healthcare sector. The group is known for its double-extortion model: encrypting victim systems while simultaneously exfiltrating data, then threatening to publish stolen files on their dark web leak site unless a ransom is paid.

Healthcare organizations are a frequent target for Rhysida and similar groups because they hold large volumes of high-value personal data, often operate legacy IT systems, and face intense pressure to restore operations quickly — making them more likely to pay ransoms. Federal agencies, including the FBI and CISA, have issued joint advisories warning the healthcare sector about Rhysida's tactics.

The Real Risk: Data Is Already Public

CRMC stated in its breach notice that it has "no evidence that any information may have been misused as a result of this incident." However, security experts warn that this statement must be interpreted carefully.

When stolen data is freely published on the internet, the risk of abuse is not theoretical — it is ongoing and compounding. The data can be downloaded, traded, and weaponized by any number of malicious actors indefinitely.

Unlike a breach where data remains in the hands of a single threat actor, publicly leaked datasets enter a long-tail cycle of exploitation. Fraudsters, phishing operators, and identity thieves routinely harvest such dumps long after the original incident has faded from the news cycle.

Notification and Victim Support

CRMC formally notified the Maine Attorney General's Office, as required under Maine's breach notification law, confirming that more than 337,000 individuals are affected. The hospital is offering identity theft protection services, but only to those whose Social Security numbers or driver's license numbers were specifically compromised — leaving some affected patients without direct support despite the wide scope of the exposed data.

Affected individuals who have not yet received a notification letter should monitor their credit reports, review their insurance explanation-of-benefits statements for unfamiliar claims, and consider placing a credit freeze with all three major bureaus as a precautionary measure.

A Growing Crisis in Healthcare Cybersecurity

The CRMC breach is part of a deeply troubling pattern. Healthcare institutions across the United States have become primary targets for ransomware operators, with attacks frequently disrupting patient care, diverting ambulances, and compromising records at scale. Recent incidents at facilities such as Nacogdoches Memorial Hospital (250,000 affected) and others underscore the systemic vulnerability of the sector.

Key factors that continue to expose hospitals to these attacks include:

• Underfunded cybersecurity budgets relative to the value and sensitivity of data held
• Legacy medical devices and software that cannot easily be patched or segmented
• Large, distributed networks connecting hospitals, clinics, and third-party vendors
• High operational urgency that discourages taking systems offline for remediation

Conclusion: Lessons From the CRMC Breach

The Rhysida ransomware attack on Cookeville Regional Medical Center is a stark reminder that healthcare cybersecurity failures carry real human consequences. Over 337,000 patients now face lasting exposure of their most sensitive personal, financial, and medical data — through no fault of their own.

For healthcare organizations, this incident reinforces the critical need for robust network segmentation, proactive threat hunting, and tested incident response plans. For patients, it is a reminder to remain vigilant long after breach notifications arrive. And for the broader industry, CRMC joins a growing list of hospitals that have learned, at great cost, that ransomware groups will not hesitate to monetize patient data — even when no ransom is paid.