On May 20, 2025, Kettering Health detected a ransomware intrusion across its 14-hospital system in western Ohio that took the Epic electronic-health-record system, telephony, scheduling, and outpatient services offline simultaneously. The actor, identified by CNN's review of a ransom note as the Interlock group, had first gained access to Kettering Health's network on April 9, 2025 and maintained persistence for 41 days before deploying the destructive payload. Recovery of the Epic environment took until June 2; normal operations resumed on June 10. Interlock subsequently posted approximately 941 GB of exfiltrated data on its leak site after Kettering Health did not pay the ransom. By February 2026 the health system confirmed the total number of affected individuals at 1,695,382 — making the incident one of the larger 2025 HIPAA-regulated breaches. More than 200 patient lawsuits have followed.
Who is Interlock and how did they get in?
Interlock is a ransomware-as-a-service brand that surfaced in late 2024 with a leak site on the Tor network and tradecraft closely overlapping Rhysida, including the use of a Rust-based encryptor and selective targeting of healthcare and education victims. CISA, the FBI, and HHS issued a joint cybersecurity advisory on Interlock in July 2025, documenting affiliate tactics including drive-by compromise via fake browser-update lures, phishing with malicious ClickFix-pattern landing pages, abuse of Cobalt Strike and SystemBC for command-and-control, and use of WinSCP and Azure Storage Explorer for exfiltration. Kettering Health has not publicly named the initial-access vector for the April 9, 2025 intrusion, but the dwell time and lateral-movement pattern are consistent with the documented Interlock playbook of a single-user phishing or browser-update lure followed by patient privilege escalation.
What did the attackers actually access?
Kettering Health's notification, finalised in November 2025, identified personal information of approximately 1,695,382 individuals exposed, including names, addresses, dates of birth, Social Security numbers, medical-record numbers, health-insurance information, clinical and diagnostic information, prescription data, and provider notes. Interlock's leak-site posting claimed 941 GB of exfiltrated data spanning patient records, employee files, financial documents, and internal communications. Operationally, the encryption phase took Epic offline at every Kettering Health hospital simultaneously, forcing clinicians onto paper charting and downtime forms. Scheduled outpatient procedures were cancelled or rescheduled for roughly three weeks. Emergency-department capacity was maintained but with degraded electronic-record support; ambulance diversion was implemented at several facilities.
How long were they inside?
Forty-one days. Kettering Health's forensic review, published with the breach notification, established initial access on April 9, 2025 and the encryption event on May 20, 2025. The dwell time is longer than the typical Interlock affiliate window of one to two weeks but shorter than the Black Basta and Conti dwell times historically seen at healthcare victims. Forty-one days is consistent with patient credential harvesting, AD enumeration, identification of high-value records, staged exfiltration via Azure Storage Explorer or WinSCP, and timed encryption to maximise operational disruption. The fact that detection happened only at the encryption event itself — not during the six-week dwell period — is the central control failure in the case.
What did existing controls miss?
Three failures explain the dwell-and-detection gap. First, EDR and identity-anomaly coverage was insufficient to detect the lateral-movement and reconnaissance activity that occupied most of the 41 days. Interlock affiliates use Cobalt Strike beacons, AdFind, BloodHound, and PsExec — all of which are detectable in well-tuned EDR — but the alerts either did not fire or did not escalate to active response. Second, exfiltration to Azure Storage Explorer endpoints from internal hosts was either permitted by egress policy or not alerted on at the data volume that Interlock used; 941 GB of exfiltration is not subtle, and DLP-class controls should have surfaced it. Third, backup immutability was insufficient to prevent the multi-week Epic recovery; healthcare-specific Epic restoration is operationally complex even with good backups, but immutable, air-gapped backup architecture is what differentiates a one-week recovery from a three-week recovery.
# Hospital-system Interlock-class hardening baseline
hospital_ransomware_hardening:
endpoint:
edr_coverage_all_endpoints: required
edr_alerting_cobalt_strike_psexec_bloodhound: high
application_allowlisting_clinical_workstations: required
identity:
privileged_role_sso_with_fido2: required
admin_account_separation_pa_or_jit: required
helpdesk_verified_callback_for_mfa_reset: required
network:
egress_dlp_alert_threshold_gb_per_hour: 1
azure_storage_explorer_outbound_block: true
cobalt_strike_c2_pattern_blocking: required
backup_recovery:
immutable_object_lock_backups: required
air_gapped_secondary: required
parallel_restoration_capability_tested_quarterly: required
epic_tabletop_full_downtime_annually: required
detection:
siem_log_retention_days_minimum: 365
dwell_time_target_days_maximum: 7
automatic_quarantine_on_lateral_movement_indicators: required
What should healthcare defenders do now?
Six steps. First, push EDR coverage to 100 percent of clinical and administrative endpoints and tune detections specifically for Cobalt Strike beacons, BloodHound, AdFind, PsExec, and the SystemBC C2 patterns documented in the CISA joint advisory on Interlock. The Kettering Health case turned on the 41-day dwell time being invisible to existing telemetry. Second, deploy egress DLP that alerts on bulk exfiltration patterns to Azure Storage Explorer, MEGA, Rclone, and other affiliate-favoured channels — 941 GB of outbound traffic from a clinical workstation is not normal. Third, enforce phishing-resistant MFA on every privileged role, separate admin accounts from regular accounts, and require helpdesk verified-callback for any MFA factor reset. Fourth, validate backup immutability and air-gapped secondary architecture, and exercise an Epic full-downtime tabletop annually with parallel-restoration timing measured. Fifth, share TTPs and IOCs through the Health-ISAC and 405(d) cybersecurity programme so that successor brands replacing Interlock are caught faster at peer hospital systems. Sixth, engage HHS and the proposed 2025 HIPAA Security Rule update — the NPRM formalises MFA, encryption, and anti-malware requirements that would have changed the Kettering Health outcome.
How does Kettering Health compare to other 2024-2025 hospital ransomware cases?
The corpus is unfortunately large. Ascension Health in May 2024 disclosed a Black Basta intrusion affecting 5.6 million individuals after an employee phishing-driven initial-access event. Lurie Children's Hospital in Chicago disclosed a January 2024 Rhysida intrusion that produced an extended Epic outage and patient-care diversion. Prospect Medical Holdings, Lehigh Valley Health Network, and several state-level hospital systems disclosed incidents through 2024 and 2025. The Kettering Health case is distinctive for the 41-day dwell time and the 1.7 million-individual affected count from a 14-hospital system — a much smaller principal than Change Healthcare but a much longer detection window. The legal consequences have been substantial: more than 200 patient lawsuits have been filed by early 2026, several seeking class certification and exemplary damages. HHS OCR opened a formal investigation under the HIPAA Breach Notification Rule. The proposed 2025 HIPAA Security Rule update — published as a NPRM in December 2024 and accepting public comment through March 2025 — would formalise MFA, encryption-at-rest, anti-malware, and supplier-management controls that would materially have changed the outcome of the Kettering Health intrusion. Health-system defenders should expect this rule to drive 2026 capital programmes in healthcare cybersecurity.
How Safeguard Helps
Safeguard inventories every clinical and administrative software dependency across hospital-system environments and continuously cross-references each against CISA KEV, HHS sector advisories, and Health-ISAC threat intelligence. Griffin AI reachability analysis surfaces which clinical workstations lack EDR coverage, which egress paths permit Azure Storage Explorer or Rclone traffic, and which backup architectures lack immutability guarantees. TPRM workflows score Epic, Cerner, MEDITECH, and managed-service partners against contractual breach-notification SLAs and the proposed 2025 HIPAA Security Rule. Policy gates block deployments that embed clinical applications below your minimum patch baseline, and ingest Interlock, Rhysida, and Black Basta-successor IOCs continuously so that an intrusion at one peer hospital system surfaces a prioritised remediation queue across the regional health network within minutes — not the 41 days that Kettering Health lost in 2025.