Interlock claims responsibility for Kettering cyberattack, stolen data listed for sale
The cybercrime group Interlock, infamous for attacking the defense sector, has confirmed earlier reports that it was responsible for the May 20 incident that shut down a large Christian-based nonprofit healthcare system in Ohio. Furthermore, information taken in the data breach is now available for purchase on the dark web through a site run by the hackers.
Kettering Health announced last week that its electronic health record system and patient portal were back online—a little over two weeks after ransomware was deployed on its network. The attack disrupted much of its inpatient care services, forcing Kettering to rely on backup systems during the outage.
All nine of its hospitals, along with its network of medical centers and acute care clinics, were affected.
Little was initially revealed about the attack, including what data may have been accessed or stolen by the hackers. However, a dark web data leak site operated by Interlock featured a new post on June 4 with details on what was taken: 941 GB of data, said to include ID cards, payment data, financial reports, and more.
Cybersecurity firm Comparitech was the first to break the news, adding that the data trove contains 732,490 files, spread across 20,418 folders—all taken from Kettering’s internal databases. The stolen financial reports likely contained patient contact details, as many individuals reported receiving scam calls shortly after the attack, with callers demanding money for alleged unpaid medical bills.
Screenshots posted by Interlock show driver’s licenses belonging to individuals who are likely patients.
A deeper investigation into the data trove revealed that at least some clinical information was also stolen and posted on the dark web, including summaries of patient visits—according to journalists at TechCrunch, who said they reviewed some of the files.
Interlock confirmed in its post that it was able to steal data from across the Kettering system, suggesting its access extended beyond a single hospital. The group listed all nine Kettering hospitals, “12 freestanding acute care facilities, 188 clinics, more than 1,900 physicians, and more than 14,000 employees” as sources of the stolen data, which it has now put up for sale.
Comparitech said the hackers have been responsible for 17 confirmed attacks since October 2024 alone—and are suspected in 22 others, including the April ransomware attack on DaVita’s kidney care clinics.
All systems patched
Kettering is keeping a page on its website updated with new information on the data breach and subsequent recovery. In the latest post, dated June 5, the health system confirmed that all malicious tools were removed and affected systems have been re-secured.
The organization expressed strong confidence in the security of its network-connected devices. Further, it said its Epic EHR was relaunched on June 2, enabling staff to access and update patient records digitally.
How Interlock gained access remains a mystery. It’s possible that some of the patch upgrades Kettering confirmed mean a yet-unknown vulnerability was the vector for the attack. However, that’s only one possibility.
HealthExec reached out to the health system for additional information but did not receive a reply.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.