Cookeville Regional Medical Center Hit by Rhysida Ransomware Attack, Exposing 337,917 Patients’ Data Cookeville Regional Medical Center (CRMC), a 309-bed hospital serving 14 counties in Tennessee’s Upper Cumberland region, has notified 337,917 patients that their personal and medical data was compromised in a July 2025 ransomware attack. Breach notification letters were mailed on April 14, 2026 nearly nine months after the intrusion was detected. The attack, attributed to the Russia-linked Rhysida ransomware-as-a-service group, occurred between July 11 and July 14, 2025. Rhysida claimed responsibility on August 2, 2025, demanding a 10 Bitcoin ransom (approximately $1.15 million at the time) and publishing sample files on its dark web leak site. It remains unclear whether CRMC paid the ransom. Exposed data may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical record numbers, treatment information, and health insurance data. In response, CRMC is offering affected individuals 12 months of free identity theft protection through Experian. The incident ranks as the eighth-largest U.S. healthcare ransomware breach of 2025 by records compromised. Comparitech, which tracked 134 confirmed attacks on U.S. healthcare providers last year, reported that these breaches exposed 11.7 million records. Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average ransom demand of $1.2 million. Other recent Rhysida healthcare victims include Florida Lung, Asthma & Sleep Specialists ($639,000 demand), MedStar Health ($3.09 million), Spindletop Center ($1.65 million), MACT Health Board ($662,000), and Heart South Cardiovascular Group ($630,000). Rebecca Moody, head of data research at Comparitech, noted that the extended investigation timeline reflects the complexity of forensic analysis following hospital ransomware attacks. She also highlighted that delayed or vague breach notifications can increase risks of identity theft and phishing for affected individuals. CRMC has since implemented additional security measures in the wake of the attack. Ransomware incidents at U.S. hospitals frequently result in prolonged downtime, canceled appointments, and patient diversions, even when clinical systems remain operational.