Ascension Ransomware Attack Affects all 140 Hospitals
An Ascension ransomware attack has disrupted clinical operations at all of its 140 hospitals. Phone systems, electronic medical records, patient portals, and systems used to order tests, procedures, and medications are offline. The lack of access to electronic medical records has resulted in elective procedures being postponed to ensure patient safety, and several hospitals are on diversion for emergency services to ensure emergency cases can be triaged immediately. Patients have been advised to bring appointment notes on their symptoms and a list of current medications and prescription numbers or prescription bottles to their appointments.
Ascension, the largest Catholic health system in the United States, identified suspicious activity within its IT systems on May 8, 2023, and took immediate action to contain the incident, which involved taking many of its systems offline and bringing in Mandiant to assist with the response and investigation.
Ascension has confirmed that this was a ransomware attack, as was the case with the hugely disruptive attack on Change Healthcare in February. Ascension has not publicly announced which ransomware group is responsible for the attack; however, CNN spoke with four sources who said the attack was conducted by the Black Basta ransomware group. At this stage, Ascension is unable to provide a timeline on when the restoration work will be completed but said progress is being made and systems will be brought back online when it is determined to be safe to do so.
Ascension is maintaining close contact with the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Health Information Sharing and Analysis Center (H-ISAC) and is sharing data to help other healthcare organizations take the necessary steps to protect themselves against similar attacks. H-ISAC issued an alert on May 10 confirming Black Basta was a major threat to the healthcare industry, and the FBI, CISA, and their security partners have recently issued a sector-side alert about the Black Basta ransomware group.
The Black Basta ransomware group is known to exfiltrate data, but Ascension is unable to confirm at this stage of the investigation whether patient data was stolen in the attack. If the investigation confirms there has been data theft, the affected patients will be notified in accordance with all relevant regulatory and legal guidelines.
At the Bloomberg Tech Summit in San Francisco last week, Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration will be issuing a proposed rule that will require hospitals and other healthcare organizations that receive Medicare and Medicaid payments to ensure that they meet certain minimum standards for cybersecurity, which are likely to be the essential HPH Sector Cybersecurity Performance Goals announced by the HHS earlier this year.