Cookeville hospital alerts 337,917 patients

Cookeville Regional Medical Center has begun notifying 337,917 people that personal and medical information was exposed after a ransomware attack discovered on 14 July 2025, a breach that has taken about nine months to fully assess and disclose at scale. The Tennessee hospital said an unauthorised third party accessed or acquired files between 11 July and 14 July 2025, with the compromised data varying by individual and including names, addresses, dates of birth, Social Security numbers, driving licence numbers, financial account details, medical treatment information, medical record numbers and health insurance information.

The disclosure places Cookeville Regional among the larger healthcare cyber incidents now coming to light from 2025, underlining how long investigations can take after attackers gain access to hospital systems. The medical centre said it found suspicious activity on its network on 14 July 2025, launched an internal investigation, involved law enforcement and brought in a forensic security firm to examine the intrusion and secure its systems. The hospital added that it is mailing letters to affected people where it has a valid address and is offering complimentary identity theft protection services to those whose Social Security numbers or driving licence numbers were involved.

Cookeville Regional has said it has no evidence so far that the exposed information has been misused. Even so, the breadth of the data involved means the incident carries risks well beyond ordinary notification exercises. Health records, insurance details and government identifiers can be used in combinations that create longer-term exposure to fraud, impersonation and medical identity theft, making healthcare providers especially attractive targets for extortion groups.

Independent cyber reporting tied the attack to Rhysida, a ransomware operation that has repeatedly targeted hospitals, local authorities and other public-facing institutions. Security reports said the group listed Cookeville Regional on its leak site in August 2025, claimed to have taken roughly 500GB or more of data and sought 10 bitcoin for it, a demand valued at roughly $1 million to $1.15 million at the time. Those reports said the group later indicated that no buyer had emerged and that the stolen files were made available online. Cookeville Regional itself has not stated publicly whether any ransom was paid.

That sequence matters because it shows the now familiar pattern of “double extortion” in healthcare attacks: operational disruption first, followed by pressure to pay in exchange for non-publication of stolen files. Local reporting from the time said the medical centre was dealing with a network security incident in July 2025 after an unauthorised party gained access to its network, while the hospital’s public notice issued this month sets out a narrower confirmed access window of 11 to 14 July. The later forensic review appears to have been needed to determine exactly which files were affected and who had to be told.

The long gap between discovery and broad patient notification is likely to draw attention because federal health privacy rules generally require notification without unreasonable delay and, for large breaches, no later than 60 days after discovery, though initial regulatory filings can use placeholder figures when the full scope is not yet known. Industry reporting said the breach was reported to the US Department of Health and Human Services’ Office for Civil Rights in August 2025 with a placeholder count, reflecting the practical difficulty many hospitals face when attackers access huge volumes of mixed administrative and clinical data.

Cookeville Regional is a 289-bed regional referral hospital serving the Upper Cumberland area, and the size of the notification reflects how concentrated cyber risk has become in medium-sized healthcare systems that hold deep stores of patient, staff and billing data. That makes such institutions vulnerable not only because of the value of the information they store, but also because service continuity limits how aggressively they can shut down systems during a crisis. Cyber specialists have repeatedly warned that hospitals remain tempting targets because the cost of downtime, reputational damage and regulatory exposure can quickly outstrip the price of a ransom demand.

For patients, the immediate issue is not only whether the data was copied but what kind of records were inside the stolen files. Cookeville Regional said some of those files may have contained financial account information and treatment data in addition to identity documents. That mix tends to raise the risk of phishing, fraudulent credit applications and misuse of medical identifiers, particularly when threat actors or downstream buyers have had months to circulate the material. The hospital said affected people should monitor account statements and credit reports closely and report suspicious activity promptly.