A ransomware attack on Kettering Health network in Ohio forces more than 120 medical facilities, including nine major hospitals, to cancel thousands of patient procedures – some of them for life-threatening illnesses.
Kettering Health announced the “system-wide technology outage” publicly on Wednesday, stating that threat actors had gained unauthorized access to its network earlier in the week.
The cyberattack has “limited our ability to access certain patient care systems across the organization,” Kettering Health posted on Facebook, adding that it has taken steps to contain and mitigate the malicious activity, while investigating.
“We understand that this situation can be extremely stressful for our patients and their families. However, we would like to assure that we have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care in each of our facilities,” Kettering assured the public.
Joshua Roback, Principal Security Solution Architect at Swimlane says the atack on Kettering Health, once again, shows the fragility of healthcare infrastructure and how quickly outages can impact patient care.
“As a result of the outage, all elective procedures were paused yesterday, and call centers were down, leaving patients to navigate care gaps,” Roback pointed out. "These attacks do more than just breach networks; they directly compromise care delivery and patient safety,” he said.
Lack of communication
Telling a different story on social media, patients of the Western Ohio regional medical network say they have been left in the dark. Many have complained about the lack of communication regarding already scheduled procedures, prescription refills, and even just rescheduling appointments.
Founded in 1964, the faith-based Kettering Health is made up of 14 medical centers, including nine hospitals, and more than 120 plus outpatient facilities, its website states. It serves roughly 1.5 million patients per year and in 2023 reported an annual revenue of $ 34.1 million according to ProRepublica’s Non-profit Explorer.
“Everything is old school now with paper forms being filled out by doctors and staff alike,” one cancer patient posted after their oncology appointment on Thursday.
One person asked, “Can we get an idea which offices are open or not considering phones are down?” “My dad has a surgery Friday and hasn’t heard otherwise,” another commented.
"I believe they can do better than what they're doing, maybe someone's going to lose there life because of their inadequate planning," said yet another.
So far, Kettering has not responded to the dozens of questions posted by frustrated patients wondering what to do next, although in a website update, the medical network stated it will contact patients by phone about rescheduling procedures.
As for surgeries and other medical procedures, the hospital said it is evaluating procedures “on a case-by-case basis, based upon collaborative decision-making between care teams, with safety as our highest priority.”
To note: Kettering’s medical centers are consistently listed in the IBM Watson Health 100 Top Hospitals in the nation, providing maternity care, state-of-the-art cancer centers, a leading heart hospital, and cutting-edge brain and spine surgery.
Scammers are already targeting patients
In another twist to the ransomware attack, it appears other cybercriminals have been quick to try and capitalize on Kettering's system-wide outage, subjecting patients to secondary attacks in attempts to steal personally identifiable information (PII).
Kettering addressed the patient targeting Thursday on its website, although it stopped short at blaming the uptick in scammers on the cyberattack.
“It has not been established that these scams calls are connected to the system-wide technology outage,” Kettering said.
Still, the conglomerate stated it had “confirmed reports that scam calls have occurred from persons claiming to be Kettering Health team members requesting credit card payments for medical expenses.”
“While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice,” the medical network said.
Kettering urged any patients who receives a scam call to report the incident to their local law enforcement.
Roback believes the Kettering Health attack is not an outlier, but part of a growing pattern. “If the Change Healthcare breach wasn’t enough to prompt action, this latest disruption should make it clear that inaction is no longer an option,” he told Cybernews.
“The security of these systems should be non-negotiable. Cybersecurity in healthcare can’t remain a siloed IT issue. It must be embedded into the core of the patient care strategy, with resilience, not recovery, as the standard," Roback said.
Interlock is no stranger to the healthcare sector
Kettering Heath is said to be the alleged victim of the Interlock ransomware group, which as reported by CNN, left a ransom note which they were able to view.
“Your network was compromised, and we have secured your most vital files,” Interlock wrote, threatening to leak data exfiltrated from Kettering’s networks unless an undisclosed ransom demand is paid.
Cybernews was able to view Interlock’s leak site – titled the "Worldwide Secrets Blog" – and can confirm that Kettering Health is not listed, leading to speculation that the medical network is presently in negotiations with the gang.
The gang, which first surfaced on the ransomware scene in fall 2024, has since targeted a variety of sectors, including healthcare, tech, government, and manufacturing.
Patients, rightly concerned about their private health data being stolen in the attack, were given reassurance on the Kettering website that there was “no evidence that personal cell phone apps, like MyChart, or the information in them have been compromised.”
"We understand our patients’ concerns for their privacy and information security," Kettering said.
Still, ransomware groups are known to not only encrypt data, but to leak that data if a second ransom is not paid or if negotiations break down – a method known as double extortion and one that Interlock is known for using against its victims.
According to an October 2024 profile on the ransomware gang by Broadcom, its “victims are cautioned against altering files, using recovery software, or rebooting systems, as these actions could lead to irreversible damage.” Broadcom also said Interlock victims are often given only 96 hours to negotiate.
Your email address will not be published. Required fields are markedmarked