Interlock adds Kettering Health to its ransomware data leak site – 941 GB allegedly stolen

This morning, ransomware gang Interlock has posted Kettering Health to its data leak site. It alleges to have stolen 941 GB of data, which includes 732,490 files across 20,418 folders and appears to contain ID cards, payment data, financial reports, and more.

Kettering Health suffered a ransomware attack on May 20, 2025. The attack caused a system-wide outage affecting its 14 medical centers and 120 outpatient facilities. In its latest update on Monday, it confirmed it had “successfully launched the core components of its Epic electronic health record (EHR),” marking a “significant step forward in our system-wide restoration.”

No comments have been made so far on any potential data breaches, and Kettering Health hasn’t confirmed Interlock’s claims. Interlock had already been confirmed as the ransomware gang responsible for the attack, however. CNN saw the ransom note which led to Interlock’s extortion site. The fact that Interlock has now posted Kettering Health to its data leak site suggests no ransom was paid.

While we await further updates from Kettering Health on this potential data breach, we highly recommend that patients and staff are on high alert for any potential phishing messages and monitor accounts for any suspicious activity.

Who is Interlock?

Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data.

Since October 2024, we’ve tracked 17 confirmed attacks via this group and a further 22 unconfirmed attacks that haven’t been acknowledged by the organizations in question. Interlock was also responsible for the April 2025 attack on kidney dialysis firm DaVita. This too caused widespread disruption to patient care and saw a large breach of 1.5 TB of data.

Three other US healthcare companies have confirmed large breaches following attacks via Interlock:

Ransomware attacks on US healthcare companies

2025 has already seen 26 confirmed attacks on US healthcare companies, as well as a further 92 unconfirmed.

Other recently confirmed attacks include Marlboro-Chesterfield Pathology, P.C. which was hit by SafePay in January 2025. This resulted in a data breach involving 235,911 people.

Over the last week, Bradford Health Services and Next Step Healthcare, LLC have started notifying patients of breaches stemming from older ransomware attacks. Bradford Health Services suffered an attack via Hunters International in December 2023 and has now confirmed 22,465 people were affected. Meanwhile, Next Step Healthcare, LLC has just started notifying 12,090 people of a breach following an attack via Qilin in June 2024.

As we are seeing with Kettering Health, ransomware attacks on healthcare companies have the potential to cause widespread disruption. Not only can they result in patient care being impacted after systems are encrypted, but the consequences are often felt months, and even years, afterward when data is stolen by hackers. In 2024 alone, nearly 27.3 million records were breached across 163 individual ransomware attacks on US healthcare companies.

About Kettering Health

Kettering Health offers patient care throughout western Ohio with its 14 medical centers, 120+ outpatient facilities. It employs around 15,000 people and over 1,800 physicians.