Ascension, one of the largest healthcare networks in the United States, revealed that a ransomware attack in May 2024 was caused after an employee downloaded a malicious file onto their company device. Ascension believes this was an “honest mistake” as the employee thought they were downloading a legitimate file.
What Happened in the Ascension Hack?
The attack impacted Ascension’s MyChart electronic health records system, phones, and systems used to order tests, procedures, and medications. On May 8th, Ascension took some of their devices offline to contain what they initially described as a “cybersecurity event.” This forced employees to use paper records as they could no longer access patient data electronically.
Ascension also paused some non-emergency procedures, tests, and appointments. Emergency medical services were diverted to other healthcare units to avoid triage delays. As of June 13th, Ascension said some services were still impacted and they were working to restore some electronic health records, patient portals, phone systems, and testing/procedure ordering capabilities.
Attackers Gained Access to Seven Servers
The investigation found evidence that threat actors only gained access to and stole files from seven of Ascension’s approximately 25,000 servers.
“These servers represent seven of the approximately 25,000 servers across our network,” an Ascension spokesperson said.
“Though we are still investigating, we believe some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual.”
However, Ascension has yet to find proof that attackers stole data from its Electronic Health Records (EHR) and other clinical systems, which store full patient records.
Black Basta Ransomware Gang Believed to be Responsible
While Ascension did not name the specific ransomware operation, reports linked the Black Basta ransomware gang to the attack. Just days after the attack, Health-ISAC issued a threat bulletin warning that Black Basta “has recently accelerated attacks against the healthcare sector.”
Black Basta emerged in April 2022 and its affiliates have breached many high-profile victims including Rheinmetall, Capita, ABB, and the Toronto Public Library. Research revealed Black Basta affiliates made over $100 million in ransom payments until November 2023 through at least 90 victims.
Impact on Ascension Healthcare Network
As one of the largest nonprofit health networks in the U.S., the cyberattack on Ascension had major implications. Ascension operates 140 hospitals, 40 senior care facilities, and had a total 2023 revenue of $28.3 billion. They employ 8,500 providers and are affiliated with 35,000 additional providers and 134,000 associates across 19 states and Washington D.C. The ransomware attack significantly disrupted Ascension’s operations until impacted systems could be restored.
The “honest mistake” of a single employee downloading a malicious file led to one of the largest healthcare providers in America falling victim to ransomware. While the specific damage is still being assessed, Ascension will likely take lessons from this event to further strengthen their cybersecurity and user awareness going forward.