[{"data":1,"prerenderedAt":118},["ShallowReactive",2],{"article-slug-tennessee-hospital-notifies-337000-of-breach-after-rhysida-ransomware-attack":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":25,"sources":26,"events":43,"mitre_techniques":53,"mitre_mitigations":69,"d3fend_countermeasures":87,"iocs":88,"cyber_observables":89,"tags":104,"extract_datetime":108,"article_type":109,"impact_scope":110,"pub_date":116,"reading_time_minutes":117,"createdAt":108,"updatedAt":108},"02393807-5f14-4a3c-aea2-2c2ac73a643a","tennessee-hospital-notifies-337000-of-breach-after-rhysida-ransomware-attack","Tennessee Hospital Notifies 337,000 Patients of Data Breach, Nine Months After Rhysida Ransomware Attack","Tennessee Hospital Notifies 337,000 Patients of Data Breach, Months After Rhysida Ransomware Attack","Cookeville Regional Medical Center (CRMC) in Tennessee has begun notifying 337,917 individuals that their sensitive personal and medical data was stolen in a ransomware attack that occurred in July 2025. The notification letters, sent out nine months after the breach, confirm an attack by the Rhysida ransomware group. In August 2025, Rhysida claimed responsibility on its dark web leak site, stating it had stolen 500GB of data, including over 370,000 files. The compromised information is highly sensitive, potentially including Social Security numbers, financial details, and medical records. Despite the group's attempt to sell the data and later leaking it for free, the hospital stated it has 'no evidence' of data misuse, a claim met with skepticism by security experts. CRMC is offering 12 months of identity protection services.","## Executive Summary\n**Cookeville Regional Medical Center (CRMC)** in Tennessee has confirmed a massive data breach affecting 337,917 patients, stemming from a ransomware attack that occurred in July 2025. The hospital began sending notification letters on April 14, 2026, a full nine months after the incident. The attack was publicly claimed by the **[Rhysida](https://malpedia.caad.fkie.fraunhofer.de/actor/rhysida)** ransomware gang in August 2025, who listed the hospital on their dark web leak site and advertised the stolen data for sale. The gang claimed to have exfiltrated 500GB of data, including highly sensitive Personal Identifiable Information (PII) and Protected Health Information (PHI) such as Social Security numbers, financial account details, and medical records. The significant delay in public notification and the severity of the exposed data have drawn criticism and heightened the risk of identity theft and fraud for the affected patients. The hospital is offering one year of identity theft protection services.\n\n## Threat Overview\n- **Threat Actor:** **[Rhysida](https://malpedia.caad.fkie.fraunhofer.de/actor/rhysida)**, a ransomware-as-a-service (RaaS) group known for targeting the healthcare sector.\n- **Incident Timeline:**\n  - **July 11-14, 2025:** Rhysida gains access to CRMC's network and exfiltrates data.\n  - **August 2025:** Rhysida lists CRMC on its dark web leak site, claiming the theft of 500GB of data and offering it for sale for 10 Bitcoin.\n  - **Post-August 2025:** When no buyer emerged, the data was reportedly made available for free download.\n  - **April 14, 2026:** CRMC begins sending official breach notification letters to 337,917 affected individuals.\n- **TTPs:** Rhysida employs a double-extortion strategy. They first exfiltrate sensitive data ([`T1567 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1567/)) and then encrypt the victim's systems ([`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)). This puts maximum pressure on the victim to pay the ransom to both restore their files and prevent the public release of stolen data.\n\n## Technical Analysis\nWhile the initial access vector for the CRMC attack was not disclosed, Rhysida is known to leverage phishing campaigns ([`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/)) and exploit vulnerabilities in public-facing services, particularly VPNs. Once inside a network, they often use legitimate tools like PsExec for lateral movement ([`T1570 - Lateral Tool Transfer`](https://attack.mitre.org/techniques/T1570/)) and deploy their ransomware. A key part of their playbook is to disable security software and delete backups ([`T1490 - Inhibit System Recovery`](https://attack.mitre.org/techniques/T1490/)) to ensure maximum impact and hinder recovery efforts. The exfiltration of 500GB of data before encryption is a clear indicator of their double-extortion model.\n\n## Impact Assessment\nThe impact on the 337,917 patients is severe. The compromised data is a goldmine for cybercriminals and can be used for:\n- **Medical Identity Theft:** Using a patient's identity to fraudulently obtain medical services or prescriptions.\n- **Financial Fraud:** Opening new lines of credit, filing fraudulent tax returns, or draining bank accounts using stolen SSNs and financial details.\n- **Blackmail and Extortion:** Threatening to release sensitive medical diagnoses or treatments unless a payment is made.\n- **Targeted Phishing:** Crafting highly convincing scams using detailed personal and medical information.\n\nThe nine-month delay between the breach and the notification significantly exacerbated these risks, as patients were unaware that their data was exposed and could not take proactive steps to protect themselves. For CRMC, the incident has resulted in significant reputational damage, regulatory scrutiny under **[HIPAA](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act)**, and substantial financial costs for remediation and identity protection services.\n\n## Detection & Response\nDetecting a sophisticated ransomware attack requires a multi-layered approach.\n- **EDR/XDR:** Modern endpoint solutions can detect ransomware behavior, such as the rapid encryption of files or attempts to delete volume shadow copies. This is a form of **[D3FEND File Analysis (D3-FA)](https://d3fend.mitre.org/technique/d3f:FileAnalysis)**.\n- **Network Monitoring:** Monitor for large, anomalous outbound data transfers, which can be an early indicator of data exfiltration before the ransomware is deployed. This is a critical use case for **[D3FEND Network Traffic Analysis (D3-NTA)](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)**.\n- **Active Directory Monitoring:** Monitor for the creation of new administrative accounts or the escalation of privileges, which are common precursors to a network-wide ransomware deployment.\n\n## Mitigation\nHealthcare organizations remain a prime target and must prioritize security.\n1.  **Offline, Immutable Backups:** Maintain multiple, tested backups of critical data, with at least one copy stored offline and immutable. This is the most critical defense against the impact of data encryption.\n2.  **Vulnerability Management:** Aggressively patch internet-facing systems and internal software to close the entry points used by ransomware groups. This is a fundamental **[D3FEND Software Update (D3-SU)](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate)** control.\n3.  **Employee Training:** Conduct regular security awareness training to help employees recognize and report phishing attempts, which are a primary initial access vector.\n4.  **Network Segmentation:** Segment the network to prevent ransomware from spreading from workstations to critical servers hosting patient data. This **[D3FEND Network Isolation (D3-NI)](https://d3fend.mitre.org/technique/d3f:NetworkIsolation)** strategy can contain the blast radius of an attack.","A Tennessee hospital has notified 337,000 patients of a data breach from a Rhysida ransomware attack that occurred 9 months ago. 🏥 Stolen data includes SSNs and medical records, which were leaked on the dark web. #Ransomware #Healthcare #DataBreach","Cookeville Regional Medical Center in Tennessee is notifying over 337,000 patients that their sensitive data was compromised in a Rhysida ransomware attack from July 2025.",[13,14,15],"Ransomware","Data Breach","Threat Actor","high",[18,21],{"name":19,"type":20},"Cookeville Regional Medical Center (CRMC)","company",{"name":22,"type":23,"url":24},"Rhysida","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/rhysida",[],[27,33,38],{"url":28,"title":29,"date":30,"friendly_name":31,"website":32},"https://www.infosecurity-magazine.com/news/cookeville-medical-center-notifies/","Cookeville Medical Center Notifies Patients After July 2025 Ransomware Attack","2026-04-19","Infosecurity Magazine","infosecurity-magazine.com",{"url":34,"title":35,"date":30,"friendly_name":36,"website":37},"https://www.securityweek.com/data-breach-at-tennessee-hospital-affects-337000/","Data Breach at Tennessee Hospital Affects 337,000","SecurityWeek","securityweek.com",{"url":39,"title":40,"date":30,"friendly_name":41,"website":42},"https://cybernews.com/news/337k-exposed-rhysida-ransomware-attack-tennessee-cookeville-regional-medical-center/","337K exposed in ransomware attack on Tennessee's Cookeville Regional Medical Center","Cybernews","cybernews.com",[44,47,50],{"datetime":45,"summary":46},"2025-07-11T00:00:00Z","Rhysida ransomware group gains access to CRMC's network.",{"datetime":48,"summary":49},"2025-08-01T00:00:00Z","Rhysida lists CRMC on its dark web leak site and claims to have stolen 500GB of data.",{"datetime":51,"summary":52},"2026-04-14T00:00:00Z","CRMC begins sending breach notification letters to 337,917 individuals.",[54,58,62,65],{"id":55,"name":56,"tactic":57},"T1486","Data Encrypted for Impact","Impact",{"id":59,"name":60,"tactic":61},"T1567","Exfiltration Over C2 Channel","Exfiltration",{"id":63,"name":64,"tactic":57},"T1490","Inhibit System Recovery",{"id":66,"name":67,"tactic":68},"T1566","Phishing","Initial Access",[70,75,79,83],{"id":71,"name":72,"description":73,"domain":74},"M1049","Antivirus/Antimalware","Deploy EDR solutions that can detect and block ransomware behaviors like mass file encryption.","enterprise",{"id":76,"name":77,"description":78,"domain":74},"M1037","Filter Network Traffic","Use network security monitoring to detect and alert on large, anomalous data exfiltration attempts.",{"id":80,"name":81,"description":82,"domain":74},"M1017","User Training","Train employees to recognize and report phishing emails, a common entry vector for ransomware.",{"id":84,"name":85,"description":86,"domain":74},"M1030","Network Segmentation","Segment critical systems like EMR databases from the general corporate network to limit the spread of ransomware.",[],[],[90,95,98],{"type":91,"value":92,"description":93,"context":94,"confidence":16},"file_name","*.rhysida","The file extension commonly appended to files encrypted by the Rhysida ransomware.","File system scanning, EDR.",{"type":91,"value":96,"description":97,"context":94,"confidence":16},"CriticalBreachDetected.pdf","The typical name of the ransom note dropped by Rhysida ransomware on compromised systems.",{"type":99,"value":100,"description":101,"context":102,"confidence":103},"network_traffic_pattern","Anomalous large outbound data transfers from internal servers to external hosts.","Indicator of data exfiltration prior to ransomware deployment.","NDR solutions, firewall logs, NetFlow.","medium",[13,22,105,14,106,107],"Healthcare","HIPAA","Double Extortion","2026-04-20T15:00:00.000Z","NewsArticle",{"geographic_scope":111,"countries_affected":112,"industries_affected":114,"people_affected_estimate":115},"local",[113],"United States",[105],"337,917","2026-04-20",5,1776724719131]