Kettering Health has confirmed it is responding to a cybersecurity incident involving unauthorized access to its network. The organization has taken steps to contain and mitigate the breach and is actively investigating and monitoring the situation. While emergency services remain operational, ransomware is suspected in the attack, which has disrupted hospital operations, limited access to critical patient care systems, and forced the cancellation of elective procedures.
CNN reported that ransomware was deployed on Kettering’s computer network, according to a ransom note recovered at the scene and viewed by the agency.
“Your network was compromised, and we have secured your most vital files,” the ransom note says.
The note threatens to leak data allegedly stolen from Kettering Health online unless the health network begins negotiating an extortion fee.
The ransom note leads the victim to an extortion site associated with a ransomware gang known as Interlock, which first emerged last fall. Interlock has since targeted a variety of sectors, including tech and manufacturing firms and government organizations, according to Talos, Cisco’s cyber-intelligence unit.
“Earlier this morning, Kettering Health experienced a system-wide technology outage, which limited our ability to access certain patient care systems across the organization. We have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care for patients currently in our facilities,” according to a Tuesday notice. “Elective inpatient and outpatient procedures at Kettering Health facilities have been canceled for today, Tuesday, May 20. These procedures will be rescheduled for a later date, and more information will be provided on this as updates are available. In addition, our call center is experiencing an outage and may not be accessible.”
At this time, the Ohio-based healthcare network stated that only elective procedures are being rescheduled. Emergency rooms and clinics remain open and are continuing to see patients.
Kettering Health said it has “confirmed reports that scam calls have occurred from persons claiming to be Kettering Health team members requesting credit card payments for medical expenses,” the notice added. “While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice. We encourage anyone who receives a scam call to report it to local law enforcement.”
However, it noted that it has not been established that these scam calls are connected to the system-wide technology outage.
Commenting on the Kettering Health attack, Debbie Gordon, CEO and founder of Cloud Range, wrote in an emailed statement that healthcare systems continue to be pushed to the brink, not by medical emergencies, but by cyberattacks that disable basic operations. “The Kettering Health attack is yet another example of why tabletop exercises and simulation-based training programs are essential.”
She added that responding to ransomware is not only about technology; it’s about people knowing what to do when systems go down. “Clinical staff, IT teams, and executives all need to rehearse how to operate effectively under pressure. The faster we normalize this kind of preparedness, the more resilient our healthcare infrastructure will become.”
“The healthcare sector continues to be disproportionately targeted by ransomware groups because it presents a high-pressure environment where disruption can immediately impact patient lives,” Gunter Ollmann, CTO at Cobalt, wrote in an emailed statement. “This urgency increases the likelihood of ransom payment, making hospitals prime targets for attackers looking for quick returns. But these incidents are more than just criminal opportunism—they’re warning shots for what cyber warfare could look like.”
He added that the same vulnerabilities being exploited now would be leveraged in future geopolitical conflicts to destabilize critical infrastructure. Offensive security gives us the ability to simulate these high-stakes scenarios and uncover weak points before the stakes become national.”
In March, Claroty reported that it had analyzed over 2.25 million Internet of Medical Things (IoMT) devices and more than 647,000 operational technology (OT) devices across 351 healthcare organizations. Of these organizations in Claroty’s data set, confirmed known exploited vulnerabilities (KEVs) were found in 99 percent, while 20 percent of hospital information systems that manage clinical patient data, as well as administrative and financial information, contain KEVs linked to ransomware and are insecurely connected to the internet.
