A recent ransomware attack on US healthcare giant Ascension has affected approximately 5.6 million individuals, exposing their sensitive personal, medical, and financial information. The extent of the data breach was disclosed in a filing to the Office of the Maine Attorney General on December 19.
Ascension revealed that the attackers managed to obtain copies of files containing personal information of both patients and employees. This information included personal details such as names, dates of birth, addresses, Social Security numbers, and drivers’ licenses. Additionally, medical information like medical record numbers, dates of service, and types of lab tests or procedure codes, as well as financial details including credit card information or bank account numbers, were also accessed. The type of information varied by individual, but there is currently no evidence that data was taken from the Electronic Health Records (EHR) and other clinical systems where full patient records are stored.
As a response to the breach, Ascension is in the process of notifying impacted individuals via email over the next two to three weeks. The company has also arranged for affected individuals to receive 24 months of credit and CyberScan monitoring, a $1 million insurance reimbursement policy, and fully managed ID theft recovery services through IDX.
The ransomware attack was reportedly orchestrated by the Black Basta ransomware-as-a-service (RaaS) group, although this has not been officially confirmed. The incident, which occurred in May 2024, led to ambulances being diverted and patient appointments being postponed.
Upon detecting unauthorized activity on its systems on May 8, Ascension initiated an investigation with third-party cybersecurity experts. The company also reported the incident to law enforcement and government partners, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
In June, Ascension disclosed that the ransomware attackers gained access to its systems after an employee inadvertently downloaded a malicious file, indicating that the root cause of the incident was likely a phishing attack.
Overall, this significant data breach highlights the ongoing threat of ransomware attacks targeting healthcare organizations and underscores the importance of robust cybersecurity measures to protect sensitive information and prevent future incidents.