Cookeville Regional Medical Center Hit by Rhysida Ransomware Attack, Exposing 337,917 Patients’ Data
Cookeville Regional Medical Center (CRMC), a 309-bed hospital serving 14 counties in Tennessee’s Upper Cumberland region, has notified 337,917 patients that their personal and medical data was compromised in a July 2025 ransomware attack. Breach notification letters were mailed on April 14, 2026 nearly nine months after the intrusion was detected.
The attack, attributed to the Russia-linked Rhysida ransomware-as-a-service group, occurred between July 11 and July 14, 2025. Rhysida claimed responsibility on August 2, 2025, demanding a 10 Bitcoin ransom (approximately $1.15 million at the time) and publishing sample files on its dark web leak site. It remains unclear whether CRMC paid the ransom.
Exposed data may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical record numbers, treatment information, and health insurance data. In response, CRMC is offering affected individuals 12 months of free identity theft protection through Experian.
The incident ranks as the eighth-largest U.S. healthcare ransomware breach of 2025 by records compromised. Comparitech, which tracked 134 confirmed attacks on U.S. healthcare providers last year, reported that these breaches exposed 11.7 million records. Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average ransom demand of $1.2 million.
Other recent Rhysida healthcare victims include Florida Lung, Asthma & Sleep Specialists ($639,000 demand), MedStar Health ($3.09 million), Spindletop Center ($1.65 million), MACT Health Board ($662,000), and Heart South Cardiovascular Group ($630,000).
Rebecca Moody, head of data research at Comparitech, noted that the extended investigation timeline reflects the complexity of forensic analysis following hospital ransomware attacks. She also highlighted that delayed or vague breach notifications can increase risks of identity theft and phishing for affected individuals.
CRMC has since implemented additional security measures in the wake of the attack. Ransomware incidents at U.S. hospitals frequently result in prolonged downtime, canceled appointments, and patient diversions, even when clinical systems remain operational.
Source: https://www.infosecurity-magazine.com/news/cookeville-medical-center-data/
PeaceHealth Sacred Heart Medical Center cybersecurity rating report: https://www.rankiteo.com/company/peacehealth-sacred-heart-medical-center
Florida Hospital Association cybersecurity rating report: https://www.rankiteo.com/company/florida-hospital-association
Cookeville Regional Medical Center cybersecurity rating report: https://www.rankiteo.com/company/crmc
"id": "PEAFLOCRM1776443473",
"linkid": "peacehealth-sacred-heart-medical-center, florida-hospital-association, crmc",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '337,917 patients',
'industry': 'Healthcare',
'location': 'Tennessee, USA',
'name': 'Cookeville Regional Medical Center (CRMC)',
'size': '309-bed hospital serving 14 counties',
'type': 'Hospital'}],
'customer_advisories': '12 months of free identity theft protection through '
'Experian offered to affected individuals',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Sample files published on dark web leak '
'site',
'number_of_records_exposed': '337,917',
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of birth',
'Social Security '
'numbers',
'Driver’s license '
'numbers',
'Financial account '
'details',
'Medical record '
'numbers',
'Treatment '
'information',
'Health insurance '
'data'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal data', 'Medical data']},
'date_detected': '2025-07-11',
'date_publicly_disclosed': '2026-04-14',
'description': 'Cookeville Regional Medical Center (CRMC), a 309-bed hospital '
'serving 14 counties in Tennessee’s Upper Cumberland region, '
'has notified 337,917 patients that their personal and medical '
'data was compromised in a July 2025 ransomware attack. The '
'attack, attributed to the Russia-linked Rhysida '
'ransomware-as-a-service group, exposed data including names, '
'addresses, dates of birth, Social Security numbers, driver’s '
'license numbers, financial account details, medical record '
'numbers, treatment information, and health insurance data.',
'impact': {'data_compromised': '337,917 records',
'identity_theft_risk': 'Increased risk of identity theft and '
'phishing',
'operational_impact': 'Prolonged downtime, canceled appointments, '
'and patient diversions',
'payment_information_risk': 'Financial account details exposed'},
'investigation_status': 'Completed (forensic analysis)',
'lessons_learned': 'Delayed or vague breach notifications can increase risks '
'of identity theft and phishing for affected individuals. '
'The extended investigation timeline reflects the '
'complexity of forensic analysis following hospital '
'ransomware attacks.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Additional security '
'measures implemented'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '10 Bitcoin (~$1.15 million)',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Comparitech'}],
'response': {'communication_strategy': 'Breach notification letters mailed on '
'April 14, 2026',
'remediation_measures': 'Additional security measures '
'implemented',
'third_party_assistance': 'Experian (identity theft protection)'},
'threat_actor': 'Rhysida ransomware-as-a-service group',
'title': 'Cookeville Regional Medical Center Hit by Rhysida Ransomware Attack',
'type': 'Ransomware'}