Kettering Health, a nonprofit healthcare network operating 14 medical centers across Ohio, is recovering from a significant system outage caused by a cybersecurity incident. The disruption led to the cancellation of elective inpatient and outpatient procedures and impacted the organization’s call center and care systems.
The organization manages more than 120 outpatient facilities and employs over 15,000 people, including 1,800 physicians.
In a statement posted online, Kettering Health confirmed a cyberattack was responsible:
“Elective inpatient and outpatient procedures at Kettering Health facilities have been canceled for today, Tuesday, May 20. These procedures will be rescheduled for a later date and more information will be provided on this as updates are available. In addition, our call center is experiencing an outage and may not be accessible.”
“At this time, only elective procedures are being rescheduled. Our emergency rooms and clinics are open and continuing to see patients.”
The organization also warned patients about a parallel issue involving scam calls, where individuals impersonating Kettering Health employees request credit card payments.
“While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice.”
Interlock Ransomware Group Tied to Attack and Ransom Threats
While Kettering Health has not officially disclosed whether the attack was ransomware-related or if data was stolen, signs point to involvement by the Interlock ransomware group.
According to cybersecurity firm PRODAFT, the breach was carried out by a threat actor called Nefarious Mantis, affiliated with the Interlock cluster. This group is known for targeting U.S. healthcare and biotech organizations using the Interlock Remote Access Trojan (RAT) for internal access and control.
“In several cases, this activity led to the deployment of Interlock ransomware, resulting in operational disruption and potential data loss,”
— PRODAFT to BleepingComputer
CNN also reported that the group is threatening to leak sensitive data stolen from Kettering Health unless a ransom is paid. A ransom note was reportedly left on compromised systems:
“Your network was compromised, and we have secured your most vital files.”
As of now, Interlock has not published any Kettering Health data on its leak site. No other ransomware gang has claimed responsibility either.
Interlock’s Recent Activity Raises Concerns
The Interlock ransomware operation, first observed in September, has claimed more than 30 victims. One of its most high-profile attacks targeted DaVita, a major kidney care provider, from which the group claimed to have stolen 1.5 terabytes of data including nearly 700,000 files.
