Ransomware Group Rhysida Breaches Cookeville Regional Medical Center, Exposing Data of 337,000 Patients
What Happened – In July 2025, the Rhysida ransomware gang infiltrated Cookeville Regional Medical Center (CRMC) in Tennessee, exfiltrating roughly 500 GB of sensitive files. The breach was publicly disclosed in April 2026, confirming that personal, financial, and health information of about 337,000 individuals was accessed or stolen.
Why It Matters for TPRM –
- Large‑scale exposure of PHI and PII creates regulatory, reputational, and financial risk for any organization that relies on CRMC as a service or data source.
- Ransomware‑driven supply‑chain attacks highlight the need for continuous monitoring of third‑party security hygiene.
- The incident underscores the importance of incident‑response contracts and identity‑theft protection provisions in vendor agreements.
Who Is Affected – Healthcare providers, health‑information exchanges, insurers, payroll processors, and any business that exchanges patient data with CRMC.
Recommended Actions –
- Verify that contractual clauses require CRMC to maintain ransomware‑resilience controls (network segmentation, multi‑factor authentication, regular backups).
- Request evidence of post‑incident forensic reports and remediation steps.
- Conduct a risk‑based review of any data flows that involve CRMC‑originated records; consider supplemental monitoring or encryption.
Technical Notes – The attack leveraged ransomware malware (Rhysida) to gain initial access, likely via phishing or credential theft, then moved laterally to harvest 500 GB of files. Exfiltrated data includes names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account numbers, medical record numbers, and health‑insurance details. Source: Security Affairs