Full Report
A healthcare giant with dozens of facilities across Ohio is still recovering after shutting down nearly all its operations following a ransomware attack.
Analysis Summary
# Incident Report: Kettering Health Ransomware Disruption (June 2025)
## Executive Summary
Kettering Health, a major Ohio-based health network, suffered a system-wide technology outage due to a ransomware attack that was discovered in late May/early June 2025. The incident severely disrupted critical operations, forcing staff to revert to manual, pen-and-paper processes, impacting tasks like patient record access, communication, and medication refills, leading to operational chaos that persisted for weeks. Response actions focused primarily on restoring core components of their Epic Electronic Health Record (EHR) system, though full normalization remained a significant challenge two weeks post-detection.
## Incident Details
- **Discovery Date:** Approximately Late May / Early June 2025 (Outage noted two weeks prior to June 3, 2025 report)
- **Incident Date:** Late May 2025 (Exact start date unknown)
- **Affected Organization:** Kettering Health
- **Sector:** Healthcare (Biotech & Health)
- **Geography:** Ohio, USA (Dayton area mentioned)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to outage report date.
- **Vector:** Ransomware attack (Specific vector not detailed in the provided text).
- **Details:** Resulted in a "system-wide technology outage."
### Lateral Movement
- Details regarding specific lateral movement techniques are not provided in the source article.
### Data Exfiltration/Impact
- **Details:** The primary impact was the disruption of digital systems, forcing immediate reversion to manual, pen-and-paper operations across care teams and administrative functions. This affected patient record updates, inter-team communication, and medication refill processes.
### Detection & Response
- **How it was discovered:** The organization detected the ransomware infection, leading to a system-wide outage announcement.
- **Response actions taken:** Restoration efforts of core components of the Epic EHR system were underway, with partial success noted by June 2nd, 2025, allowing for some updates and access to electronic health records.
## Attack Methodology
*Note: Specific technical details are unavailable in this summary.*
- **Initial Access:** Ransomware attack.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Data exfiltration is implied by the ransomware type, but confirmation is not present.
- **Exfiltration:** Unknown.
- **Impact:** Business interruption via technology outage, severe operational impairment requiring manual processes.
## Impact Assessment
- **Financial:** Not disclosed/estimated.
- **Data Breach:** Not explicitly confirmed, though ransomware attacks typically involve data encryption and potential exfiltration. Patient information and medical records were rendered inaccessible digitally.
- **Operational:** Severe, long-lasting disruption. Two weeks post-detection, patients still faced issues with medication refills, inability to call doctor's offices, and closure of some emergency rooms. Operations reverted to manual charting ("pen and paper").
- **Reputational:** Negative public impact evidenced by patient reports on social media (Reddit).
## Indicators of Compromise
- *No specific IP addresses, domains, or file hashes were provided in the source text to defang.*
## Response Actions
- **Containment measures:** System-wide technology outage implemented to stop proliferation.
- **Eradication steps:** Ongoing work to secure and restore systems.
- **Recovery actions:** Successful restoration of "core components" of the Epic EHR system by June 2nd allowing limited updates and access to patient records. Recovery efforts were ongoing two weeks post-outage.
## Lessons Learned
- The critical dependency on digitized systems (Epic EHR) for basic healthcare functions (communication, refills, charting) creates massive points of failure during outages.
- Recovery from major ransomware incidents can span weeks, severely impacting routine patient care and access to essential services.
## Recommendations
- **Prevention measures for similar incidents:** Implement robust, segmented backups and comprehensive, regularly tested incident response plans specific to restoring EHR functionality quickly.
- Enhance redundant communication channels (non-IT dependent) for critical patient safety functions.