Rhysida Ransomware: 337K Breached, Hospital Playbook

Published April 20, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Cookeville Regional Medical Center notified 337,917 patients on April 14, 2026 of a July 2025 Rhysida ransomware intrusion that exfiltrated 500GB of data, including SSNs, financial accounts, and medical records. Rhysida claimed 91 attacks in 2025 with an average $1.2M demand, listing Cookeville data at 10 bitcoin before dumping it freely. The nine-month gap between detection and notification highlights the industry-wide breach-response crisis.

Bottom Line: Healthcare CISOs globally should deploy MFA on VPN/webmail, EDR on every endpoint, and rehearse the 60-day breach notification scenario now — detection speed is the variable hospitals actually control.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algeria’s public hospitals, private clinics, and healthcare operators under the Ministry of Health face the same ransomware threat model. Digital health initiatives under the national health strategy increase the attack surface year over year.

Infrastructure Ready?
Partial
▾

Larger Algerian hospitals have firewall and AV baselines; most lack EDR, 24/7 SOC coverage, and tested immutable backups. ASSI’s CII framework is adding pressure but rollout is uneven.

Skills Available?
Limited
▾

Healthcare-specific cybersecurity talent is scarce. Hospital IT teams are typically generalists splitting time between biomedical engineering and Windows admin, with few dedicated security roles.

Action Timeline
6-12 months
▾

Core controls (MFA, patching, segmentation, backups) can be in place inside 6 months. Mature SOC coverage and clinical IR rehearsal take 12-24 months.

Key Stakeholders
Hospital CIOs/CISOs, Ministry of Health,

Decision Type
Strategic
▾

Healthcare ransomware resilience is a multi-year capability build, not a product purchase. Requires organizational IT/OT convergence and sustained executive backing.

Quick Take: Algerian healthcare CISOs should treat the Cookeville case as a preview of a near-future national incident. Fund EDR and MFA rollouts across major public hospitals in 2026, build a DZ-CERT-coordinated healthcare IR playbook, and rehearse the 60-day notification scenario before the first Rhysida victim in Algiers makes the rehearsal real.

What Happened at Cookeville

Cookeville Regional Medical Center (CRMC), a Tennessee regional hospital, detected a network intrusion on July 14, 2025. Investigation revealed that files had been stolen in the days prior. The attacker was the Rhysida ransomware gang, which claimed responsibility on its leak site, and which exfiltrated approximately 500GB of data before being detected.

On April 14, 2026 — nine months after detection — CRMC began mailing breach notification letters to 337,917 individuals. The compromised information, per the hospital’s filing, included names, dates of birth, addresses, Social Security numbers, driver’s license numbers, financial account numbers, medical treatment information, and health insurance policy details.

Rhysida initially listed the data for sale at 10 bitcoin (roughly $1M at the time). When no buyer materialized, the group made the stolen dataset freely available for download — a pressure pattern the gang uses to punish non-payment and to maintain credibility in the ransomware ecosystem.

Rhysida claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average ransom demand of $1.2M, according to breach-tracking analyses.

Who Rhysida Is

Rhysida is a ransomware-as-a-service (RaaS) operation that recruits affiliates who run intrusions using the Rhysida strain in exchange for a cut of ransom payments. CISA, the FBI, and HHS jointly profiled the group in advisory AA23-319A in late 2023. Since then:

Primary sectors: education, government, manufacturing, and technology, with sustained secondary focus on healthcare and public health.
Method: double extortion — encrypt to extort, then publish or sell stolen data if payment is refused.
Pressure tactic: a seven-day publication window to force rapid payment decisions.
Entry vectors: phishing, Remote Desktop Protocol brute force, exploitation of unpatched perimeter devices (VPN gateways, firewalls), and malicious search engine ads that deliver trojaned installers.

Healthcare remains a prime target because hospitals cannot afford extended downtime, patient safety is directly at risk, and most hospital IT budgets are materially below the sector’s risk profile.

The Nine-Month Notification Gap

The public issue with the Cookeville case is not that the breach happened — it is that notification took 270 days from detection to letter. Under US HIPAA breach notification rules (45 CFR § 164.400-414), covered entities have 60 days from discovery to notify affected individuals. The gap reflects a common pattern:

Forensic investigations outrun the 60-day clock. The original “discovery” date is often legally contestable.
Delayed notification compounds reputational and regulatory damage.
By the time patients learn their SSN and medical records are on a leak site, the data has already circulated in criminal markets for months.

For global healthcare CISOs, the lesson is that the ransomware clock does not start at notification — it starts at intrusion. Detection speed, not disclosure speed, is the variable under your control.

The Healthcare Defender Playbook

Drawing from CISA AA23-319A, HHS HC3 alerts, Barracuda’s Rhysida analysis, BlackFog’s incident tracking, and 2026 HIPAA guidance:

Prevention (pre-intrusion):

Patch internet-facing systems aggressively. VPN gateways (Fortinet, Cisco, Ivanti), firewalls, and RDP-exposed hosts are the top three Rhysida entry points.
Multi-factor authentication everywhere. Webmail, VPN, and any system that reaches clinical data. Single-factor VPN is Rhysida’s favourite door.
Network segmentation. Isolate EHR, imaging (PACS), lab systems, and biomedical OT from general IT. A flat hospital network is a ransomware accelerator.
Kill search-ad installers. Train staff not to install software from search-engine ad results. Use application allowlisting on clinical workstations.
Offline, tested backups. Not just “backups exist” — tested restores, immutable copies, and offline media. Rhysida’s affiliates routinely target backup servers.

Detection (during intrusion):

EDR on every endpoint. CrowdStrike, SentinelOne, Defender for Endpoint with active response enabled. Detect LOLBin abuse, credential dumping, and unusual archive creation (the 500GB staging step).
Egress monitoring. A hospital should not normally exfiltrate 500GB to an external host. DLP and network anomaly detection catch this if tuned.
SIEM correlation and 24/7 SOC coverage. Most regional hospitals still run business-hours SOCs. Rhysida exploits nights and weekends.

Response (post-intrusion):

Rehearse the breach response plan with legal, communications, clinical leadership, and external counsel. Meet HIPAA 60-day notification windows or document the forensic reason you cannot.
Do not assume a silent response. Rhysida will leak the data if you do not pay; paying does not guarantee the data stays private. Build the public-response playbook as if leaked.

What Global Healthcare Systems Should Take Away

Rhysida is not a sophisticated zero-day shop. The Cookeville intrusion is a case study in what unsophisticated ransomware does to an under-defended hospital: phishing or RDP entry, lateral movement, exfiltration, encryption, extortion, leak. Every control in the playbook above is standard — the gap is consistent execution across every hospital IT estate.

For non-US healthcare systems watching from Europe, Africa, and the Middle East: Rhysida does not care about borders. The same group has claimed victims in the UK, France, and Australia. The playbook ports cleanly, and the seven-day leak timer is universal.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

Why do ransomware groups like Rhysida leak data even after victims refuse to pay?

Leaking punishes non-payment and maintains credibility for future victims. If Rhysida only leaked when paid, victims would learn that refusing payment is safe. The public dump, with a seven-day countdown, is the economic signal that non-payment has consequences. This is why planning for public disclosure is as important as planning for payment.

How much does a ransomware attack actually cost a regional hospital?

Published cases show total cost — response, legal, notification, credit monitoring, regulatory fines, and lost revenue — typically exceeding the ransom demand by a factor of 5-15x. A $1M Rhysida demand translates to $5-15M in total impact, even when the ransom is not paid. Cyber insurance often covers only a portion, and premiums rise sharply after a claim.

What is the single highest-value control a small hospital can deploy today?

Multi-factor authentication on VPN and webmail. Most Rhysida healthcare intrusions start with credential theft via phishing and a single-factor VPN login. MFA closes that door at near-zero cost. EDR on every endpoint is the second priority — both are deployable inside one budget cycle for a regional hospital.