Healthcare Dive: Ascension Cyberattack Exposes Data of 5.6 Million Individuals
In a recent report to federal regulators, it was revealed that data from nearly 5.6 million individuals was exposed as a result of a ransomware attack on nonprofit health system Ascension earlier this year. The attack compromised personal information from current and former Ascension patients, senior living residents, and employees. This included details such as personal information, medical records, payment information, insurance details, and government ID numbers, including Social Security numbers.
This breach ranks as the third largest reported to the HHS’ Office for Civil Rights’ healthcare data breach portal this year, following incidents at Change Healthcare and Kaiser Foundation Health Plan.
Ascension, known as one of the largest nonprofit health systems in the nation, fell victim to a ransomware attack in May that took critical technology systems offline, including the electronic health record system and patient portal. Some facilities were forced to divert ambulances, and elective care had to be paused in the aftermath of the incident.
The financial impact of the cyberattack on Ascension was substantial, with the provider reporting a $1.1 billion net loss in its 2024 fiscal year. This setback significantly hindered the health system’s financial improvement from the previous year.
Following an investigation, Ascension disclosed that cybercriminals gained access to its systems after a worker inadvertently downloaded a malicious file, potentially exposing personally identifiable and protected health information. The health system has now completed its review of the compromised data and is in the process of mailing letters to affected individuals, expected to be delivered within the next two to three weeks.
Despite the breach involving patient data, Ascension assured that there was no evidence of data being stolen from EHR and other clinical systems where full patient records are stored.
The Ascension cyberattack adds to the challenges faced by the healthcare industry in terms of cybersecurity in 2024. Earlier in the year, the attack on UnitedHealth-owned technology firm and claims processor Change Healthcare disrupted the industry for weeks, exposing data from 100 million individuals – marking the largest healthcare breach reported to federal regulators. Other significant breaches in 2024 include Kaiser Foundation Health Plan, impacting 13.4 million current and former plan members, and health benefits administrator HealthEquity, affecting 4.3 million individuals.
As healthcare organizations continue to face evolving cyber threats, it is crucial for them to prioritize robust cybersecurity measures to safeguard patient data and maintain the trust of their stakeholders.
