More than 337,000 patients of Cookeville Regional Medical Center (CRMC) in Tennessee have been notified that their personal and medical data was compromised in a July 2025 ransomware attack, the hospital confirmed this week.
The 309-bed facility began mailing breach notification letters on April 14, 2026, roughly nine months after the intrusion was detected.
Files were accessed or acquired by an unathorized party between July 11 and July 14, 2025, according to a filing with the Maine Attorney General's Office. A total of 337,917 individuals have been affected.
Inside the Rhysida Attack on CRMC
Rhysida, a ransomware-as-a-service operation linked to Russia and active since May 2023, claimed responsibility on August 2, 2025. The gang demanded a ransom of 10 Bitcoin, worth roughly $1.15m at the time, and posted sample files on its dark web leak site. It is unclear whether any ransom was paid.
Information accessed may include names, addresses, dates of birth, Social Security numbers, driver's license numbers, financial account details, medical record numbers, treatment information and health insurance data.
CRMC, which serves around 250,000 patients annually across 14 counties in the Upper Cumberland region, is offering 12 months of free identity theft protection through Experian.
A Year of Pressure on US Healthcare
The CRMC incident ranks as the eighth-largest US healthcare ransomware breach of 2025 by records compromised, according to Comparitech, which logged 134 confirmed attacks on US healthcare providers last year, exposing 11.7 million records.
Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average demand of $1.2m.
Other recent Rhysida healthcare victims include:
- Florida Lung, Asthma & Sleep Specialists (FL), May 2025, $639,000 demand
- MedStar Health (MD), September 2025, $3.09m demand
- Spindletop Center (TX), September 2025, $1.65m demand
- MACT Health Board (CA), November 2025, $662,000 demand
- Heart South Cardiovascular Group (AL), November 2025, $630,000 demand
Rebecca Moody, head of data research at Comparitech, said the lengthy investigation timeline reflects the scale of forensic work required after a hospital ransomware hit.
"It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches," Moody explained.
"While some organizations avoid using the word 'ransomware' and don't issue any form of data breach notification for months," she added, "this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns."
Ransomware incidents at US hospitals routinely force extended downtime, canceled appointments and patient diversions even where clinical systems hold up. CRMC said it has put additional security measures in place since the attack.