Ascension Reports Data Breach Impacting Over 430,000 Patients

Ascension, a leading private healthcare system in the United States, has disclosed that a recent data breach affects the personal and health information of over 430,000 patients. With a workforce exceeding 142,000 employees and operating 142 hospitals nationwide, Ascension reported a revenue of $28.3 billion in 2023.

According to breach notification letters sent to affected individuals in April, the data was compromised during a cyber incident that occurred in December, involving a former business partner of Ascension. The breach potentially exposed critical patient information such as details about inpatient visits, including physician names, admission and discharge dates, diagnoses and billing codes, medical record numbers, as well as insurance details. Additionally, personal information such as names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers were also vulnerable.

On December 5, 2024, Ascension became aware of the potential security incident and initiated an investigation to ascertain the circumstances surrounding it. The investigation revealed on January 21, 2025, that patient information may have been unintentionally disclosed to a former business partner, and some of this information was likely stolen due to a vulnerability in third-party software utilized by that partner.

While initial reports did not specify the total number of individuals affected, filings from late April indicated that the incident impacted 114,692 patients in Texas. Furthermore, reports to the Massachusetts Office of the Attorney General indicated that 96 residents had their medical records and Social Security numbers exposed. However, a filing with the U.S. Department of Health & Human Services disclosed that the total number of affected individuals stands at 437,329.

Ascension is offering two years of complimentary identity monitoring services to those impacted by the breach. This includes credit monitoring, fraud consultation, and identity theft restoration support.

Although details surrounding the nature of the breach affecting Ascension’s former business partner have not been disclosed, the incident closely follows a series of widespread Clop ransomware attacks that exploited a zero-day vulnerability in Cleo secure file transfer software.

This announcement follows a previous breach in May 2024, which compromised the information of nearly 5.6 million patients and employees during a Black Basta ransomware attack. It was revealed that this earlier breach was the result of an employee inadvertently downloading a malicious file onto a company device. Following that attack, operations were severely disrupted, with personnel required to rely on manual processes for tracking procedures and medications, as patient electronic records were inaccessible. Ascension also had to suspend various non-emergency elective procedures and redirect emergency medical services to ensure patient care was not compromised.

This incident underscores the critical need for robust cybersecurity measures within healthcare organizations to protect sensitive patient information from evolving cyber threats.