Ascension Ransomware Attack: 5.6 Million Patients Affected
It has taken more than 7 months for Ascension Health to determine how many individuals had their data stolen in its May 2024 ransomware attack. On December 19, 2024, Ascension announced that the file review had concluded and the protected health information of 5,599,699 patients was compromised in the attack.
Ascension announced the cyberattack quickly, confirming on May 9, 2024, a day after the attack, that it was investigating a cybersecurity incident. Since then, Ascension has been providing regular updates on its website on the recovery and the findings of its investigation. When it was confirmed in July that patient data had been stolen, Ascension reported the data breach to the HHS’ Office for Civil Rights (OCR) using a placeholder figure of 500 affected individuals. Ascension also announced at the time that it was offering complimentary credit monitoring services, and individuals could sign up for those services immediately. Ascension has now arranged for a new credit monitoring package, which will last for 2 years from the enrollment date. Individuals who have previously signed up for credit monitoring services can sign up again for the new package and should do so to ensure they have full cover.
Ascension said the months-long investigation uncovered no evidence to suggest the threat actor accessed its electronic health records nor any other clinical systems, so full medical records have not been compromised. Patient data can be found in many other files, and while the health information involved was limited, highly sensitive data was stolen in the attack.
- Personal information such as names, addresses, and dates of birth
- Government identification information such as Social Security numbers, tax identification numbers, driver’s license numbers, and passport numbers
- Medical information such as medical record numbers, dates of service, types of lab tests, and procedure codes
- Payment information such as credit card information and bank account numbers
- Insurance information such as Medicaid/Medicare IDs, policy numbers, and insurance claims
It is common for healthcare providers to send individual notification letters explaining the exact types of data involved for each individual; however, Ascension said that is not possible with this data breach. Affected individuals may have had some or all of the above information compromised. Individual notification letters started to be mailed to the affected individuals on December 19, 2024; however, due to the number of letters, the notification process is expected to take between 2 and 3 weeks. In the meantime, information about the new credit monitoring package and data breach can be obtained by calling the Ascension data breach helpline – (866) 724-3233, which is open from 8 a.m. to 8 p.m. Alternatively, information can be found online at https://response.idx.us/ascension/
At almost 5.6 million records, this is the second-largest hacking incident to be confirmed by a U.S. healthcare organization in 2024, behind the Change Healthcare data breach which affected an estimated 100 million individuals. It is the third largest healthcare data breach of 2024 behind the tracking technology data breach reported by Kaiser Foundation Health Plan, which involved the protected health information of 13.4 million individuals. As of December 19, 2024, 677 data breaches of 500 or more healthcare records have been reported to OCR, involving the protected health information of 182,414,703 individuals.
May 13, 2024: Ascension Ransomware Attack Affects all 140 Hospitals
An Ascension ransomware attack has disrupted clinical operations at all of its 140 hospitals. Phone systems, electronic medical records, patient portals, and systems used to order tests, procedures, and medications are offline. The lack of access to electronic medical records has resulted in elective procedures being postponed to ensure patient safety, and several hospitals are on diversion for emergency services to ensure emergency cases can be triaged immediately. Patients have been advised to bring appointment notes on their symptoms and a list of current medications and prescription numbers or prescription bottles to their appointments.
Ascension, the largest Catholic health system in the United States, identified suspicious activity within its IT systems on May 8, 2023, and took immediate action to contain the incident, which involved taking many of its systems offline and bringing in Mandiant to assist with the response and investigation.
Ascension has confirmed that this was a ransomware attack, as was the case with the hugely disruptive attack on Change Healthcare in February. Ascension has not publicly announced which ransomware group is responsible for the attack; however, CNN spoke with four sources who said the attack was conducted by the Black Basta ransomware group. At this stage, Ascension is unable to provide a timeline on when the restoration work will be completed but said progress is being made and systems will be brought back online when it is determined to be safe to do so.
Ascension is maintaining close contact with the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Health Information Sharing and Analysis Center (H-ISAC) and is sharing data to help other healthcare organizations take the necessary steps to protect themselves against similar attacks. H-ISAC issued an alert on May 10 confirming Black Basta was a major threat to the healthcare industry, and the FBI, CISA, and their security partners have recently issued a sector-side alert about the Black Basta ransomware group.
The Black Basta ransomware group is known to exfiltrate data, but Ascension is unable to confirm at this stage of the investigation whether patient data was stolen in the attack. If the investigation confirms there has been data theft, the affected patients will be notified in accordance with all relevant regulatory and legal guidelines.
At the Bloomberg Tech Summit in San Francisco last week, Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration will be issuing a proposed rule that will require hospitals and other healthcare organizations that receive Medicare and Medicaid payments to ensure that they meet certain minimum standards for cybersecurity, which are likely to be the essential HPH Sector Cybersecurity Performance Goals announced by the HHS earlier this year.
