Kettering Health confirms attack by Interlock ransomware group as health record system is restored

One of the largest healthcare systems in Ohio confirmed that the systemwide technology outages it has faced over the last two weeks were caused by a ransomware attack.

Kettering Health, which runs 14 medical centers and dozens of clinics primarily in the Dayton area, attributed the cybersecurity incident to the ransomware group Interlock.

The ransomware gang took credit for the attack this week, claiming to have stolen troves of data from the company. They offered samples that included financial records and more.

The hospital network said the ransomware attack began on May 20, knocking internal systems, phone lines and the electronic health record system offline. Several facilities had to cancel elective procedures and some ambulances were diverted.

In its statement on Thursday, Kettering Health officials said they have since removed all “tools and persistence mechanisms” of the ransomware gang and said “all affected systems” have been secured.

“A thorough review of all systems was conducted by external partners and our internal team, and all necessary security protocols, including network segmentation, enhanced monitoring, and updated access controls, are in place,” the organization said.

They added that they have since segmented their network and allowed an external cybersecurity firm to enhance their monitoring. 

“We have strong confidence that our network-connected devices are secure, and our connections to our partners are fully protected. Our primary focus has shifted to ensuring that patients can reliably communicate, schedule, and receive all types of care from Kettering Health,” officials added.

On a website designed to update customers and patients, the hospital network said earlier this week it has successfully relaunched some components of its electronic health record system. The company said more than 200 people, including Kettering Health employees and external experts, worked to restore the system. 

Officials are still working to bring back online inbound and outbound calling to Kettering Health facilities and practices.

Kettering Health did not respond to requests for comment about whether it plans to pay the ransom or what data it believes was stolen. 

CNN was first to report that a ransom note found by the hospital network’s IT workers allegedly came from the Interlock ransomware gang. 

The group caused alarm in April after shutting down the network of dialysis treatment company DaVita and it previously attacked the Texas Tech University Health Sciences Center as well as its El Paso counterpart.

Multiple healthcare systems have been brought down by cyber incidents over the last two weeks. A Catholic healthcare organization told Recorded Future News last week that multiple hospitals across New England are facing outages due to a cyberattack and Central Maine Healthcare was forced to shut down its network this week due to a cyber incident.