Healthcare Cyber Incidents: Kettering Health Ransomware Litigation, Insightin Health GoAnywhere Breach, and Polish Hospital Disruption
Multiple healthcare-sector cyber incidents were reported, including ongoing fallout from a major U.S. provider ransomware event. Kettering Health continues to face escalating legal exposure from a 2025 ransomware attack attributed to Interlock, which allegedly stole 941 GB of data and encrypted systems; the disruption forced shutdown of roughly 600 applications, a temporary shift to paper workflows, and delays to care while systems (including Epic EHR) were restored. Dozens of patient lawsuits have been filed and consolidated in Ohio, with claims focused not only on data theft but also alleged delayed or denied medical care during the outage.
Separately, healthcare vendor Insightin Health disclosed a 2025 security incident involving its use of the GoAnywhere managed file transfer tool, reporting that an unauthorized party accessed GoAnywhere by exploiting an “unknown design flaw” and potentially accessed files on a subset of servers between Sept 17–23, 2025; impacted data may have included names, provider names, insurance information, and member IDs (no SSNs or financial data reported). In Europe, the Independent Public Regional Hospital in Szczecin, Poland reported a March 2026 cyberattack that encrypted parts of hospital data, disrupted digital operations, and forced a temporary return to paper-based processes, while the hospital stated urgent care continued despite slower administration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Dozens of lawsuits filed over Kettering Health attack
By March 2026, dozens of lawsuits had been filed in response to the Kettering Health ransomware attack, including a consolidated complaint in Ohio state court. The suits allege data theft, negligence, and delays or denial of medical care, and seek damages and security improvements.
Cyberattack disrupts Polish hospital and forces paper operations
Over the weekend of March 7–8, 2026, the Independent Public Regional Hospital in Szczecin, Poland, suffered a cyberattack that encrypted part of its data and disrupted IT systems. The hospital temporarily reverted to paper-based workflows while continuing urgent treatment and admissions during restoration efforts.
Insightin Health submits breach notice to California AG
Insightin Health submitted a breach notification to the California Attorney General on March 4, 2026, disclosing the September 2025 unauthorized access incident. A Washington State report update cited 11,740 affected Washington residents, while the incident had not yet appeared on the HHS breach portal at the time of reporting.
Health plan confirms affected individuals in Insightin files
On February 12, 2026, a health plan confirmed to Insightin Health that some individuals' data was included in the affected files from the September 2025 incident. This appears to have clarified that personal data was exposed in the compromise.
Medusa claims Insightin Health incident on leak site
Reporting noted that the Medusa ransomware/extortion group claimed the Insightin Health incident on its leak site in September 2025. The company's later notification did not mention this public extortion claim.
Attacker exploits GoAnywhere flaw at Insightin Health
Insightin Health said an attacker exploited an 'unknown design flaw' in the GoAnywhere file-transfer tool and may have accessed data on a subset of servers between September 17 and September 23, 2025. The potentially exposed information included personal and health-plan-related data such as names and insurance identifiers.
Kettering Health reports breach to HHS OCR
Kettering Health reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights with a placeholder count of 501 affected individuals. About 10 months after the attack, the total number of affected people was still unconfirmed.
Kettering Health says normal operations resumed
Kettering Health stated that normal operations had resumed by June 10, 2025, after weeks of disruption caused by the ransomware attack. Plaintiffs later alleged some care disruptions lasted beyond the roughly three-week systems outage.
Epic EHR core components restored at Kettering Health
Kettering Health restored core components of its Epic electronic health record system as part of recovery from the ransomware attack. This marked a major step toward resuming normal clinical and administrative operations.
Kettering Health hit by ransomware attack and major outage begins
In May 2025, Kettering Health in Ohio suffered a ransomware attack attributed to Interlock. The health system shut down roughly 600 digital applications, reverted to paper processes, and canceled appointments during response and recovery.
Interlock gains access to Kettering Health's network
A later investigation found the Interlock ransomware group had access to Kettering Health's network beginning on April 9, 2025. During this access window, the attackers were able to access or copy files containing patient, medical, insurance, and financial data.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Dozens of Lawsuits Filed in Response to Kettering Health Ransomware Attack
hipaajournal.com
Open sourceInsightin Health discloses its second data security incident in two years (1) - DataBreaches.Net
databreaches.net
Open sourceCyberattack Forces Polish Hospital Revert to Paper-Based Operations - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026