Kettering Health Ransomware Attack 2025: 1.7M Affected by Interlock, EHR Down 13 Days, Class Actions Filed
Kettering Adventist Healthcare (Ohio) confirmed 1,695,382 patients had data stolen in the May 2025 Interlock ransomware attack. Intruders held network access from April 9 to May 20, 2025, forced a 13-day Epic EHR outage, and exfiltrated 941 GB. Notification letters went out in February 2026; class actions are consolidated in Montgomery County.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 9, 2025
Interlock actors first accessed Kettering Health's network
May 20, 2025
Attack detected; system-wide outage forces shutdown of ~600 applications across all 14 hospitals
Jun 2, 2025
Epic EHR restored after 13 days of pen-and-paper operations
Jun 9, 2025
MyChart patient portal access restored
Jun 10, 2025
Normal operations resumed across the system
Jun 16, 2025
Class action filed in Montgomery County Court of Common Pleas (Wright & Schulte)
Jul 21, 2025
HHS OCR notified with placeholder count of 501 individuals
Jan 29, 2026
Kettering Health updates its formal Notice of Privacy Incident; notifies affected individuals of Kroll identity monitoring offer
Feb 17, 2026
Individual notification letters mailed; OCR count updated to 1,695,382
Mar 5, 2026
Wright & Schulte LLC reports more than 200 lawsuits filed, representing approximately 700 patients
Apr 9, 2025
Interlock actors first accessed Kettering Health's network
May 20, 2025
Attack detected; system-wide outage forces shutdown of ~600 applications across all 14 hospitals
Jun 2, 2025
Epic EHR restored after 13 days of pen-and-paper operations
Jun 9, 2025
MyChart patient portal access restored
Jun 10, 2025
Normal operations resumed across the system
Jun 16, 2025
Class action filed in Montgomery County Court of Common Pleas (Wright & Schulte)
Jul 21, 2025
HHS OCR notified with placeholder count of 501 individuals
Jan 29, 2026
Kettering Health updates its formal Notice of Privacy Incident; notifies affected individuals of Kroll identity monitoring offer
Feb 17, 2026
Individual notification letters mailed; OCR count updated to 1,695,382
Mar 5, 2026
Wright & Schulte LLC reports more than 200 lawsuits filed, representing approximately 700 patients
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Kettering Adventist Healthcare, the 14-hospital nonprofit system that serves western Ohio as Kettering Health, has confirmed that 1,695,382 patients had protected health information stolen in the May 2025 ransomware attack carried out by the Interlock group. The intrusion is now one of the largest healthcare breaches reported to federal regulators in 2025, and the second-order operational damage — a 13-day Epic outage, hundreds of cancelled procedures, and ambulance diversion across the network — drove a wave of patient litigation that is already consolidated in state court.
Timeline
- April 9, 2025 — Interlock actors first gain access to Kettering Health’s network. They remain inside for roughly six weeks.
- May 20, 2025 — Ransomware detonates. Kettering shuts down approximately 600 digital applications across 14 medical centers and more than 120 outpatient facilities. Staff revert to pen and paper.
- June 2, 2025 — Epic EHR restored after 13 days offline.
- June 9, 2025 — MyChart patient portal access restored.
- June 10, 2025 — Normal operations resumed system-wide.
- June 16, 2025 — A class action is filed in Montgomery County Court of Common Pleas by Wright & Schulte LLC on behalf of affected patients.
- July 21, 2025 — Kettering files an initial HIPAA breach notification with HHS OCR using a placeholder count of 501 individuals while the forensic review continues.
- January 29, 2026 — Kettering updates its formal Notice of Privacy Incident and begins notifying affected individuals. Kroll identity monitoring is offered.
- February 17, 2026 — Individual notification letters mailed to affected patients. The OCR portal record is updated to the final figure of 1,695,382.
- March 5, 2026 — Wright & Schulte reports more than 200 lawsuits filed, representing approximately 700 patients.
What was exposed
According to the notification letter contents reported by HIPAA Journal, BankInfoSecurity, and DataBreaches.net, the data set exfiltrated by Interlock varied by individual but included combinations of the following elements:
- Names
- Social Security numbers
- Driver’s license numbers
- Passport numbers
- Financial account numbers
- Health insurance information
- Medical and treatment information
- Billing and claim information
- Usernames and associated passwords
Interlock claimed responsibility on its dark-web leak site in June 2025 and stated that it had stolen approximately 941 GB of data across roughly 732,490 files when the ransom went unpaid. The group subsequently published the stolen data.
Operational impact
This breach is unusual for the depth of clinical disruption it caused. With the Epic EHR offline for 13 days, Kettering Health:
- Shut down roughly 600 digital applications across all 14 hospitals and 120-plus outpatient sites.
- Placed emergency departments on ambulance diversion until EHR access was restored.
- Cancelled or rescheduled large numbers of procedures.
- Documented patient care on paper for nearly two weeks.
Court filings reported by HIPAA Journal describe the human cost in concrete terms. Of 44 individual cases later consolidated in Montgomery County, 37 plaintiffs allege delayed treatment and 8 allege denial of care. Cancer patients reported lost access to medications and appointments rescheduled months out or cancelled outright.
What Kettering Health is offering
Kettering Health is providing Kroll identity monitoring services at no cost to affected individuals. Enrollment is at tpsincident.kroll.com using the membership number printed in your notification letter. You must enroll within 90 days of receiving your letter; the deadline for letters mailed in February 2026 has passed for most recipients, but anyone who received a later notice should check their letter for the specific cutoff date.
Kettering also operates a dedicated assistance line at 1-844-784-5351, available Monday through Friday, 8:00 a.m. to 8:00 p.m. ET, excluding U.S. holidays. Written inquiries can be sent to: Kettering Health, 1 Prestige Place, Suite 580, Miamisburg, OH 45342.
As of January 29, 2026, when Kettering updated its formal Notice of Privacy Incident, the system stated it has no evidence that the stolen information has been used to commit identity theft or fraud. That caveat applies only to confirmed misuse; the 941 GB of data Interlock published on its leak site remains publicly accessible.
Class-action and regulatory posture
A consolidated class action is active in the Montgomery County Court of Common Pleas (Dayton, Ohio), filed by Wright & Schulte LLC of Vandalia, Ohio. The complaints seek compensatory damages exceeding $25,000 per case plus punitive damages and attorneys’ fees, with claims grouped into the treatment-delay and care-denial categories above.
By early March 2026, Wright & Schulte reported more than 200 lawsuits filed representing approximately 700 patients — a figure that had grown substantially from the 44 complaints that were initially consolidated. Attorneys say their office has heard from more than 500 additional patients suing over stolen personal information.
Lynch Carpenter LLP announced a separate investigation on May 22, 2025. Strauss Borrelli PLLC and Schubert Jonckheer & Kolbe LLP have each independently announced investigations of potential claims on behalf of affected patients.
The HHS Office for Civil Rights record remains open. CISA, the FBI, HHS, and the Multi-State ISAC issued a joint advisory regarding Interlock activity targeting healthcare entities in the wake of this attack.
What to do if affected
If you have ever been a patient at a Kettering Health facility, assume your information is in scope until the notification letter tells you otherwise.
- Enroll in Kroll identity monitoring. If you received a letter, use the membership number printed on it to enroll at tpsincident.kroll.com within 90 days of your letter date. Call 1-844-784-5351 (Mon-Fri, 8am-8pm ET) if you need help.
- Freeze your credit with Equifax, Experian, and TransUnion. The full set of identifiers stolen here — SSN, driver’s license, passport, financial account — is more than enough for identity theft and synthetic-identity fraud. Freezes are free and do not affect your credit score.
- File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was confirmed in your notification letter. This flags your IRS account against fraudulent tax return filings.
- Change any password you reused with your MyChart or other Kettering Health credentials. Usernames and passwords were among the data Interlock published.
- Be alert for scam calls. In the days after the attack, criminals posed as Kettering Health staff and demanded credit card payments over the phone. Kettering will not call you to request payment. Report any such call to your state attorney general and the FTC at reportfraud.ftc.gov.
- Watch for medical-identity-theft signals: unexplained EOBs, collection notices for care you did not receive, denials of coverage that reference services you did not get. Request a free copy of your medical record from each Kettering facility you have visited.
- If you experienced a delayed procedure, cancelled appointment, or care denial during the May–June 2025 outage, preserve your records. You may already be a member of the putative class in Montgomery County; counsel of record is Wright & Schulte LLC (yourlegalhelp.com).
Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the medical, billing, and insurance information exposed in this breach is not continuously re-shared across provider networks, health plans, and data brokers.
Sources
- Kettering Health Cybersecurity Incident FAQ — the official Kettering Health incident FAQ.
- Kettering Health — Notice of Privacy Incident — formal patient notice, updated January 29, 2026.
- HIPAA Journal — Kettering Health Ransomware Attack: 1.7 Million Individuals Affected
- BankInfoSecurity — Kettering Health Notifying Patients of Interlock Breach
- DataBreaches.net — Kettering Adventist Health now notifying patients (Feb 2026)
- The Record — Kettering Health confirms attack by Interlock ransomware group
- Becker’s Hospital Review — Kettering Health notifies patients after 2025 ransomware attack
- Dayton Daily News — Class action lawsuit filed against Kettering Health
- Dayton Daily News — Kettering Health faces hundreds of lawsuits stemming from 2025 cyberattack
- WHIO TV — More than 200 lawsuits filed against Kettering Health Network
- American Bar Association — Class Action Brought Against Kettering Health over 730,000 Stolen Patient Records
- Wright & Schulte LLC — 44 Lawsuits Filed Against Kettering Health (March 2026)
- Strauss Borrelli PLLC — Kettering Health investigation announcement
- Schubert Jonckheer & Kolbe LLP — Kettering Health data breach investigation
- Lynch Carpenter LLP — Investigation announcement
- Bitdefender — Phone Scammers Target Ohio Residents Following Kettering Health Cyberattack
- Kroll Identity Monitoring — Enrollment portal for Kettering Health affected individuals
- HHS Office for Civil Rights Breach Portal — the federal regulatory record.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Kettering Health — Cybersecurity Incident FAQ (official notice)
- HIPAA Journal — Kettering Health Ransomware Attack: 1.7 Million Individuals Affected
- BankInfoSecurity — Kettering Health Notifying Patients of Interlock Breach
- DataBreaches.net — Kettering Adventist Health now notifying patients
- The Record — Kettering Health confirms attack by Interlock ransomware group
- Dayton Daily News — Local attorneys announce patient class action lawsuit
- American Bar Association — Class Action Brought Against Kettering Health over 730,000 Stolen Patient Records
- Lynch Carpenter LLP — Investigation announcement
- Kettering Health — Notice of Privacy Incident (formal patient notice, updated Jan 29, 2026)
- Becker's Hospital Review — Kettering Health notifies patients after 2025 ransomware attack
- WHIO TV — More than 200 lawsuits filed against Kettering Health Network following breach
- Wright & Schulte LLC — 44 Lawsuits Now Filed Against Kettering Health (March 2026)
- Strauss Borrelli PLLC — Kettering Health Cybersecurity Incident Investigation
- Schubert Jonckheer & Kolbe LLP — Kettering Health data breach investigation
- Bitdefender — Phone Scammers Target Ohio Residents Following Kettering Health Cyberattack
- Kroll Identity Monitoring — Enrollment portal for Kettering Health affected individuals
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.