Cookeville Regional Medical Center Hit by Rhysida Ransomware Attack, Exposing 337K Patients’ Data
Cookeville Regional Medical Center (CRMC), a 289-bed hospital in Tennessee, confirmed a July 2025 ransomware attack that compromised the personal and medical data of 337,917 individuals. The breach, detected on July 14, 2025, exposed sensitive information, including names, Social Security numbers, financial account details, medical records, health insurance data, driver’s license numbers, dates of birth, and addresses.
The cybercriminal group Rhysida claimed responsibility for the attack on August 2, 2025, demanding a 10 bitcoin ransom (approximately $1.15 million) in exchange for the stolen data. CRMC has not confirmed whether it paid the ransom or how the attackers breached its network. A forensic investigation revealed unauthorized access occurred between July 11 and July 14, 2025, with systems disrupted by ransomware on July 15.
As part of its response, CRMC is offering affected individuals one year of free identity theft protection through Experian.
Rhysida’s Growing Threat to Healthcare
Rhysida, a ransomware-as-a-service (RaaS) group that emerged in May 2023, has rapidly escalated its attacks, particularly against healthcare providers. In 2025 alone, the group claimed 91 ransomware incidents, with 23 confirmed by targeted organizations. Its average ransom demand is $1.2 million, and it has been linked to six confirmed healthcare breaches in 2025, including:
- Florida Lung, Asthma, & Sleep Specialists (10,000 records, $639K ransom)
- MedStar Health (MD) (undisclosed records, $3.09M ransom)
- Spindletop Center (TX) (88,863 records, $1.65M ransom)
- MACT Health Board (CA) (undisclosed records, $662K ransom)
- Heart South Cardiovascular Group (AL) (46,666 records, $630K ransom)
Rhysida remains active in 2026, with six additional attack claims one of which has been confirmed.
Broader Impact on U.S. Healthcare
The CRMC breach ranks as the eighth-largest healthcare data compromise in 2025, part of a surge in ransomware attacks targeting the sector. Researchers recorded 134 confirmed ransomware incidents against U.S. hospitals, clinics, and providers in 2025, exposing 11.7 million patient records.
Recent attacks include:
- Signature Healthcare (MA) – Attack claimed by Anubis (January 2026)
- Rocky Mountain Associated Physicians (UT) – 50,640 records exposed (October 2025, claimed by PEAR)
- Southern Illinois Dermatology – Breach claimed by Insomnia (November 2025)
- Aroostook Mental Health Services (ME) – Breach claimed by Qilin (December 2025)
Ransomware attacks on healthcare facilities disrupt critical operations, forcing hospitals to cancel appointments, divert patients, and revert to manual record-keeping, while exposing sensitive data to potential misuse.
Southern Tennessee Regional Health System cybersecurity rating report: https://www.rankiteo.com/company/southern-tennessee-regional-health-system
Cookeville Regional Medical Center cybersecurity rating report: https://www.rankiteo.com/company/crmc
"id": "SOUCRM1776271390",
"linkid": "southern-tennessee-regional-health-system, crmc",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '337,917 patients',
'industry': 'Healthcare',
'location': 'Tennessee, USA',
'name': 'Cookeville Regional Medical Center (CRMC)',
'size': '289 beds',
'type': 'Hospital'}],
'customer_advisories': 'Offering one year of free identity theft protection '
'through Experian',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '337,917',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Social Security numbers',
'Financial account details',
'Medical records',
'Health insurance data',
'Driver’s license numbers',
'Dates of birth',
'Addresses']},
'date_detected': '2025-07-14',
'date_publicly_disclosed': '2025-08-02',
'description': 'Cookeville Regional Medical Center (CRMC), a 289-bed hospital '
'in Tennessee, confirmed a July 2025 ransomware attack that '
'compromised the personal and medical data of 337,917 '
'individuals. The breach exposed sensitive information, '
'including names, Social Security numbers, financial account '
'details, medical records, health insurance data, driver’s '
'license numbers, dates of birth, and addresses.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': '337,917 records',
'identity_theft_risk': 'Yes',
'operational_impact': 'Disrupted systems, potential cancellation '
'of appointments and diversion of patients',
'payment_information_risk': 'Yes'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '10 bitcoins (~$1.15 million)',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Public disclosure, offering free '
'identity theft protection',
'third_party_assistance': 'Forensic investigation, Experian '
'identity theft protection'},
'threat_actor': 'Rhysida',
'title': 'Cookeville Regional Medical Center Hit by Rhysida Ransomware Attack',
'type': 'Ransomware'}