The Interlock ransomware gang has published 941 GB of data allegedly stolen from the Ohio healthcare network Kettering Health.
Roughly two weeks ago, the non-profit organization announced cancelling patient procedures while dealing with a system-wide outage caused by a cyberattack.
The incident made certain patient care systems across the network inaccessible and impacted the organization’s call center, but the healthcare provider kept emergency rooms and clinics open.
Within a week, Kettering Health announced that patients could come to their appointments as scheduled, and that walk-in care could be provided to established patients.
After progressively restoring the full operations of emergency departments and other patient care services, the organization said on Monday that it “successfully launched the core components of its Epic electronic health record (EHR) system”.
“This launch reestablishes Kettering Health’s ability to update and access electronic health records, facilitate communication across care teams, and coordinate patient care with greater speed and clarity. This is a significant step forward in our system-wide restoration,” the organization said.
On Wednesday, the Interlock group added Kettering Health to its Tor-based leak site, confirming initial speculation that it was responsible for the attack.
While the healthcare provider has kept mum on the type of cyberattack it fell victim to, it appears that it did not give in to the threat actor’s extortion attempts and did not pay a ransom.
Interlock boasted about stealing 941 GB of data from the organization, including ID cards, financial reports, payment data, and more. In total, 732,490 files across 20,418 folders were exfiltrated, the ransomware group claims.
Responding to a SecurityWeek inquiry, Kettering Health confirmed that Interlock was likely involved in the cyberattack.
“On Tuesday, May 20, 2025, Kettering Health was impacted by a cybersecurity incident, which we have reason to believe was launched by the ransomware group Interlock. This prompted an immediate and comprehensive response to ensure the security of our systems and the integrity of our data,” Kettering Health said.
The organization says it has eradicated the group’s tools and persistence tools, patched all systems, and improved its security posture, to prevent similar incidents.
“We have strong confidence that our network-connected devices are secure, and our connections to our partners are fully protected,” the healthcare provider said.
Active since at least October 2024, Interlock is believed to have made roughly 40 victims to date, including kidney dialysis firm DaVita, National Presto Industries, and Texas Tech University. NodeSnake RAT infections at two universities in the UK appear linked to Interlock as well.
*Updated with statement from Kettering Health.
Related: MATLAB Maker MathWorks Recovering From Ransomware Attack
Related: Australia Enforces Ransomware Payment Reporting
Related: Alleged Conti, TrickBot Gang Leader Unmasked
Related: Production at Steelmaker Nucor Disrupted by Cyberattack
