The ransomware group known as Interlock publicly claimed responsibility on Wednesday for the ongoing cyberattack targeting Kettering Health, asserting that it exfiltrated nearly 1 terabyte of sensitive data from the healthcare organization.
Kettering Health, which operates over 120 medical facilities—including nine major hospitals across Ohio—has been grappling with widespread system outages since first disclosing the incident on May 20. The disruption has severely impacted operations, leading to the cancellation of thousands of patient appointments and procedures. Many medical staff have resorted to using paper forms, according to patient reports, as digital systems remain down.
While Interlock had already been suspected of involvement, the group confirmed its role by adding Kettering Health to its dark web leak site on Wednesday afternoon. The gang claims to possess 941GB of stolen data across 732,490 files, offering six sample documents. These include financial and budget reports for 2023 and 2024, insurance and tax ID documents, and personal identification records such as an Ohio driver’s license and a Japanese passport.
Interlock also detailed the stolen data inventory, highlighting files like an 85.5MB “Bank Reports” document, a 7.7GB “Police Security Personnel” file, a 4.7GB collection of alleged Medicaid applications, and documents labeled “Blood Bank KH Main” and “PharmacySurgery.”
Kettering Health had previously shared a ransom note from Interlock with the media shortly after the attack began. The note reportedly stated, “Your network was compromised, and we have secured your most vital files,” according to CNN.
If such negotiations did occur, they now appear to have collapsed.
On Monday, Kettering Health issued its 15th public update regarding the incident, announcing “a major milestone” in its recovery process. The nonprofit healthcare provider confirmed it had successfully restored its Epic electronic health record (EHR) system, with the assistance of nearly 200 employees and staff.
The update also noted ongoing efforts to fully reinstate internal and external phone services, as well as restore access to MyChart, the patient portal used across the network.