Ascension Discloses New Data Breach After Third-Party Hacking Incident

Ascension, one of the largest private healthcare systems in the United States, has notified patients that their personal and health information was stolen in a December 2024 data theft attack, which affected a former business partner. The news comes as a significant blow to the healthcare network, operating 142 hospitals nationwide, with over 142,000 employees, and boasting a total revenue of $28.3 billion in 2023.

The incident occurred when Ascension inadvertently disclosed information to a former business partner, allowing some of this sensitive data to be potentially stolen due to a vulnerability in third-party software used by the former business partner. The attackers gained access to a combination of personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs). They could also access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name.

According to the breach notifications sent to affected individuals, depending on the impacted patient, the attackers gained varying levels of access to their data. The healthcare system did not provide any information regarding the total number of patients who had their data exposed in this breach. However, it is worth noting that the incident has already been linked to a series of Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.

Ascension now offers two years of free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration, to those affected by this data breach. While the company did not share any additional details regarding the breach impacting its former business partner, the timeline of the breach implies that the attack was part of a larger series of attacks.

Last year, Ascension notified nearly 5.6 million patients and employees that their personal and health data had been stolen in a May 2024 Black Basta ransomware attack. The incident was attributed to an employee who downloaded a malicious file onto a company device. This latest breach highlights the ongoing threat of cyber attacks in the healthcare sector, where sensitive patient information is at risk.

The implications of this latest data breach are far-reaching and underscore the importance of robust cybersecurity measures in protecting sensitive health information. As Ascension continues to navigate this crisis, it remains to be seen how the company will address the vulnerabilities that led to this incident and implement measures to prevent similar breaches in the future.