Ascension, one of the largest private healthcare institutions in the United States, revealed that personal and healthcare information of over 430000 patients was leaked in a data breach last month.
As disclosed in the violation notification letter sent by Ascension to affected individuals in April, their information was stolen in a data theft attack in December that affected a former business partner.
Based on the affected patients, attackers can access personal health information related to hospitalization, including doctor names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company names. They can also access personal information, including name, address, phone number, email address, date of birth, race, gender, and Social Security Number (SSN).
Ascension stated: ‘On December 5, 2024, we learned that Ascension patient information may be involved in a potential security incident.’. We will immediately launch an investigation to determine whether and how a security incident occurred. ”
Our investigation determined on January 21, 2025 that Ascension unintentionally leaked information to its former business partners, and some of the information was likely stolen due to vulnerabilities in third-party software used by its former business partners. ”
Although Ascension did not disclose the total number of people affected at the time, a document on April 29th stated that the incident affected 114692 people in Texas. The company also informed the Massachusetts Attorney General’s Office that medical records and Social Security Numbers (SSNs) of 96 residents were leaked during the incident.
However, the healthcare giant also disclosed in a document submitted to the US Department of Health and Human Services (HHS) on April 28th that the data breach affected 437329 people, which was not released until today.
Ascension provides two years of free identity monitoring services for users affected by this incident, including credit monitoring, fraud consultation, and identity theft recovery.
Although Ascension did not disclose any details about the violations affecting its former business partners, the timeline of the violations suggests that this attack was part of a widespread Clop ransomware data theft attack that exploited a zero day vulnerability in Cleo’s secure file transfer software.
Last year, Ascension notified nearly 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in the Black Basta ransomware attack in May 2024.
After the incident, the medical institution revealed that the ransomware attack was caused by an employee downloading malicious files onto the company’s device.
After the attack in May 2024, due to the inability to access patients’ electronic records, employees were forced to record the treatment process and medication use in paper form. Ascension also had to suspend some non emergency elective surgeries, examinations, and appointments, and transfer emergency medical services to unaffected medical units to prevent triage delays.
Ascension has over 142000 employees and operates 142 hospitals and 40 elderly care facilities in North America, with a revenue of $28.3 billion in 2023.