Rhysida Claims Cookeville Regional Cyberattack: Deadline and Demand Remain Unclear, Data Leak Looms

• Dark Web Intel: Rhysida ransomware claimed the Cookeville Regional Medical Center breach
• Possible Extortion: The dark web claimed hints at possible ransom negotiations, per Rhysida’s known tactics
• Confirmed: CRMC confirmed ransomware attack on July 16, 2025

The Cookeville Regional Medical Center (CRMC) breach, which was confirmed in July this year, has been claimed by the Rhysida ransomware group. The breach was detected on July 13 after discovering unusual activity affecting its IT systems and electronic health records. 

Cybersecurity researcher Dominic Alvieri shared a dark web leak site screenshot showing Rhysida's claim, highlighting the group’s alleged involvement as part of ongoing cyber threat intelligence monitoring. 

At the time, CRMC publicly described the incident as a suspected ransomware attack, pending confirmation from their internal investigation and coordination with federal law enforcement and external cybersecurity experts. 

However, Rhysida’s dark web claim may erase ambiguity over twho is behind the Cookeville Regional Medical Center disruption.

CRMC Breach

According to direct statements to media, the hospital that serves Cookeville and surrounding areas in Tennessee, including the Upper Cumberland region, confirmed that the technical outage it experienced was due to a ransomware attack.

The incident was discovered after Cookeville Regional Medical Center’s Information Systems team identified unusual activity disrupting some of the hospital’s computer systems.

Tim McDermott, CRMC’s chief information officer addressed the incident and said, “If the investigation determines that any information has been accessed or acquired without authorization, CRMC will notify those affected as soon as possible in accordance with applicable law.”

Ransomware groups have been leveraging the urgency of patient care in the healthcare sector to extort them. However, Cookeville Regional Medical Center CEO Buffy Key clarified that patient care has not been affected by this ‘outage’ even though technology, scheduling, and other services were disrupted. 

While the ransom amount remains undisclosed, ransomware incidents often involve behind-the-scenes negotiations though CRMC has not confirmed any such dialogue. 

Rhysida is known for publishing stolen data if ransom demands go unmet, and in previous cases, has released sensitive internal records, patient files, and operational documents to pressure victims into compliance.

“There are many questions all of us would like to know the answers to, and those will be answered in time we do believe,” Key concluded.

If payment is not made, Rhysida may escalate potentially leaking additional sensitive records, a tactic they’ve used in past healthcare incidents. 

For now, CRMC remains focused on system restoration and patient care.

A report by the HIPAA Journal on the City of Columbus ransomware attack stated, “While many ransomware groups leak stolen data on their data leak sites when ransoms are not paid, Rhysida is known to auction off the stolen data.”

The report also noted that Rhysida has targeted multiple healthcare entities including Lurie Children’s Hospital in Chicago in January 2024 demonstrating a disturbing trend of exploiting critical care infrastructure for extortion.