Ascension Discloses Multiple Third-Party Data Breaches
Ascension Health, a Missouri-based Catholic health system with a network of hospitals and care facilities across 16 states and Washington, D.C., has disclosed multiple third-party data breaches in 2025. These incidents have impacted patients from various locations, including Michigan, Indiana, Alabama, Tennessee, and Texas.
Ascension posted notices for each third-party data breach on its website, including a notice related to the Change Healthcare cyberattack. However, all these incidents occurred in 2024 or prior. This highlights the ongoing threat of third-party data breaches in the healthcare sector.
A February 2025 Report Highlights the Growing Concern
A recent report by Ponemon Institute and Imprivata revealed that 44% of healthcare survey respondents experienced a data breach or cyberattack involving third-party network access in the last 12 months. This demonstrates the significance of third-party risk management for healthcare organizations.
The Latest Incident: A Former Business Partner
The latest incident to impact Ascension patients occurred on December 6, 2024, when Ascension learned that patient information was potentially involved in a security incident that originated at a former business partner. The breach impacted patients from Ascension locations in Michigan, Indiana, Alabama, Tennessee, and Texas.
Ascension determined that it had inadvertently disclosed information to this former business partner due to a vulnerability in third-party software used by the partner. The data involved in the breach included demographic information, Social Security numbers, and clinical information related to inpatient visits.
Law Firm Hack Impacts Ascension Data
On April 14, 2025, Ascension disclosed a third-party data breach stemming from Scharnhorst Ast Kennard Griffin (SAKG), a Missouri-based law firm. The breach did not involve Ascension systems directly.
The incident impacted 639 individuals and involved demographic information, Social Security numbers, medical treatment information, medical record numbers, and patient account numbers.
Telehealth Company Data Breach Affects Ascension Patients
On March 3, 2025, Ascension posted a notice on its website informing patients of a third-party data breach that originated at Access TeleCare, a company that provides telehealth services to Ascension Seton in Texas.
The affected email accounts contained names, dates of birth, Social Security numbers, passport numbers, financial account information, and treatment information. None of Ascension's internal systems were impacted by this incident.
Wound Care Management Company Discloses Email Breach
In February 2025, Ascension posted a notice about a data breach that occurred at Restorix Health, a business partner that provides wound care management services to Ascension Michigan, Ascension St. Vincent’s Riverside, and Ascension St. Agnes.
Once again, the breach did not affect Ascension systems directly. However, the Restorix incident did impact Ascension patient data. On May 30, 2024, Restorix learned that an unauthorized party gained access to an employee email account, maintaining that access from May 7 to May 29.
Restorix advised its healthcare partners on December 18, 2024, that some protected health information was contained in the affected email account. The company established a call center for people impacted by the breach.
A Call to Action: Enhanced Measures
Ascension confirmed that the incident did not involve any of its internal systems, networks, or EHR systems. "We have since reviewed our processes and are working to implement enhanced measures to prevent similar incidents from occurring in the future," Ascension stated.
A Reminder: Third-Party Risk Continues to Be a Pain Point
These incidents demonstrate that third-party risk continues to remain a pain point for healthcare organizations. It is essential for healthcare providers to prioritize third-party risk management and implement robust measures to prevent such breaches.