A massive data breach at Ascension Health has exposed sensitive medical and personal information of approximately 5.6 million patients and employees, the healthcare giant revealed Thursday. The breach stemmed from a ransomware attack that occurred in May 2024, causing widespread disruption across the organization's network of about 140 hospitals and 40 senior care facilities.
The incident began when an employee inadvertently downloaded malware, leading to unauthorized access to patient and employee files between May 7-8. The attack forced some Ascension hospitals to divert emergency care and resort to paper-based systems when computer and phone networks were compromised.
The stolen data varied by individual but potentially included:
- Medical information (record numbers, service dates, lab tests, procedure codes)
- Financial data (credit card and bank account numbers)
- Insurance details (Medicare/Medicaid IDs, policy numbers)
- Personal identification (Social Security numbers, driver's licenses, passport numbers)
- Basic personal information (birth dates, addresses)
The Russian-linked cybercriminal group Black Basta is believed to be responsible for the attack. The organization, which operates on a ransomware-as-a-service model, has targeted over 500 organizations since its emergence in 2022.
In response, Ascension is offering affected individuals 24 months of credit and CyberScan monitoring, along with a $1 million insurance reimbursement policy and managed identity theft recovery services. The healthcare provider has confirmed restoration of all impacted systems and clinical functions, though the incident ranks as the third-largest healthcare-related breach of 2024.
Notification letters will be sent to affected individuals within the next 2-3 weeks. While patient data was compromised, Ascension stated there is no evidence that information was extracted from their Electronic Health Records system, where complete patient records are stored.