Acquisition reveals personal data of 437,329 patients exposed in cyberattack

Ascension, one of the largest private healthcare systems in the United States, has revealed that a December 2024 data breach exposed the health information of over 430,000 patients. The breach was caused by a former partner's compromise and resulted in the theft of personal and clinical data, including names, contact info, SSNs, and medical visit details.

Ascension notified patients at the end of April that their personal and health information had been compromised in the cyberattack. According to the company, specific information varies by individual, but they assure that all impacted individuals are entitled to two years of free identity monitoring, including credit monitoring, fraud support, and identity theft restoration through Kroll.

A Complex Web of Security Breach

Ascension stated in a data breach notification sent to impacted individuals that they learned on December 5, 2024, that their patient information may have been involved in a potential security incident. An investigation was immediately initiated to determine whether and how the security incident occurred.

The company's investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner. However, the company did not provide technical details about the security breach.

A Likely Culprit: Clop Ransomware Attack

Experts believe that the breach is likely caused by a Clop ransomware attack exploiting a Cleo file transfer software flaw. The use of third-party software can often leave organizations vulnerable to cyberattacks, and in this case, it appears that Ascension's former partner fell victim to a security incident.

Affecting Thousands Across the Country

Ascension disclosed in an April 28 filing with the U.S. Department of Health & Human Services (HHS) that the data breach affected 437,329 individuals. However, it's worth noting that another 96 residents in Massachusetts were also impacted. In Texas, the breach affected 114,692 people.

A Previous Ransomware Attack

Ascension has suffered from a previous ransomware attack, which occurred in May 2024 and severely impacted operations at hospitals across the country. This incident highlights the importance of cybersecurity for healthcare organizations and underscores the need for ongoing vigilance against cyber threats.

Action Plan

Ascension is committed to protecting its patients' data and has put in place a plan to prevent similar incidents in the future. By offering free identity monitoring, including credit monitoring, fraud support, and identity theft restoration through Kroll, the company aims to provide impacted individuals with peace of mind and support.

Conclusion

The Ascension data breach is a stark reminder of the importance of cybersecurity for healthcare organizations. As one of the largest private healthcare systems in the United States, Ascension has a responsibility to protect its patients' sensitive information. By taking steps to prevent similar incidents and providing support to impacted individuals, Ascension can help rebuild trust with its patients and ensure that their data is protected.