Cookeville Regional Medical Center confirmed that a 2025 ransomware attack resulted in the exposure of the personal and protected health information (PHI) of 337,917 individuals following a forensic investigation and extended data review process.
Incident Identification And Timeline
Cookeville Regional Medical Center in Cookeville, Tennessee identified a ransomware attack on July 14, 2025 and initiated actions to prevent further unauthorized access to its network. According to forensic investigation, unauthorized access to the computer network occurred between July 11, 2025 and July 14, 2025.
The organization publicly announced the ransomware incident shortly after discovery. A few months later, it issued another announcement to confirm the compromise of personal data and PHI. The medical center warned patients regarding the potential for data theft.
Regulatory Reporting and Data Review
In compliance with HIPAA laws, Cookeville Regional Medical Center reported the data breach to the HHS Office for Civil Rights in August 2025 using a placeholder figure of 500 individuals. A full review of the affected data required several months to complete.
On March 16, 2026, the medical center completed the file review process and obtained a complete list of affected individuals. Updated contact information was gathered, and notification letters are being distributed to impacted individuals.
Scope of Compromised Information
The types of exposed information varied among individuals. The compromised data may include names combined with at least one of these data elements.: address, birth date, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and medical insurance policy.
Threat Actor Activity and Data Exposure Claims
The Rhysida ransomware group confessed that it conducted the attack and listed Cookeville Regional Medical Center on its dark web data leak site. The group stated that it exfiltrated 538 gigabytes of data during the incident. Information published on the data leak site indicates that 70 percent of the data was released, while 30 percent may have been sold.
Mitigation Measures and Individual Protections
Affected individuals have been advised to monitor their accounts and explanation of benefits statements for any unauthorized activity. The organization reported that there is no evidence indicating misuse of the compromised data.
Cookeville Regional Medical Center offered 12 months of free credit monitoring and identity theft protection services to the affected individuals. Additional technical security measures have been implemented to reduce the likelihood of similar incidents.