Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month.
As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician’s name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).
“On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred,” Ascension said.
“Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”
While Ascension didn’t reveal the total number of affected individuals at the time, an April 29 filing said that the incident impacted 114,692 individuals in Texas, and the company also told Massachusetts’ Office of the Attorney General that 96 residents had their medical records and SSNs exposed in the incident.
However, the healthcare giant also disclosed in an April 28 filing with the U.S. Department of Health & Human Services (HHS) that wasn’t published until today that the data breach affected 437,329 individuals.
Ascension offers two years of free identity monitoring services to those impacted by this incident, including credit monitoring, fraud consultation, and identity theft restoration.
Although Ascension didn’t share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
Last year, Ascension notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.
After the incident, the healthcare organization revealed that the ransomware breach resulted from an employee downloading a malicious file onto a company device.
Following the May 2024 attack, employees were forced to keep track of procedures and medications on paper, as patients’ electronic records couldn’t be accessed. Ascension also had to pause some non-emergent elective procedures, tests, and appointments and redirect emergency medical services to unaffected healthcare units to prevent triage delays.
Ascension has over 142,000 employees, operates 142 hospitals and 40 senior care facilities acoss North America, and reported revenues of $28.3 billion in 2023.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
