In the midst of summer, the Cookeville Regional Medical Center in Tennessee found itself at the epicenter of one of the most high-profile attacks of 2025. On July 13, cybercriminals from the Rhysida group penetrated the hospital’s network, stealing dozens of confidential documents. Two weeks later, on August 2, CRMC appeared on a darknet auction — where Rhysida put the stolen data up for sale with a starting price of 10 BTC (over $1.1 million).
Scanned copies of the following have already appeared in public access:
Despite this, the clinic’s management stated that vital care has not stopped, although patients complain on social media about denied examinations, canceled operations, and delayed results. One Facebook comment reads like a verdict: *“40 people waited for over 8 hours and no one explained anything. This is not a glitch, this is chaos.”*
Rhysida is a Russian-affiliated group with a dark reputation. Appearing in 2023, it has almost doubled the number of attacks in a year — now has over 200 victims. Hackers do not choose their targets out of respect — they attack the weakest: hospitals, schools, municipalities, even governments.
Known Rhysida techniques:
phishing attacks for initial penetration
use of Cobalt Strike to analyze internal vulnerabilities
blackmail through emotional pressure: “either you pay or the patients suffer”
Among the victims are the governments of Peru and Canada, The Washington Times, the British Library, several American clinics, and even Seattle-Tacoma Airport, for which the hackers demanded 100 BTC.
CRMC is not a provincial hospital, but a medical center that serves 250,000 patients in 14 counties in Tennessee and Kentucky. It employs more than 2,500 people, 175 doctors and more than 40 specialized areas of medicine.
A breach of such a system is not just a theft of data, but a blow to the life support of people who need help right now. But Rhysida does not seem to be stopped by this.
The hospital management assures that the IT department works 24/7, and external experts and federal services have also been involved. However, specific deadlines for restoring networks and services have not yet been published. Patients are promised to be notified if the investigation proves that personal data has been leaked.
The greater the vulnerability, the higher the chance of a ransom. Rhysida continues to use pressure, fear, and silence, which means that the hospital’s daily silence only strengthens the attackers’ position.