Healthcare Provider Ascension Confirms Major Data Breach Linked to Third-Party Vendor
Ascension, one of the largest private healthcare networks in the U.S., has confirmed that 437,329 patients were affected in a data breach stemming from a third-party vulnerability. The incident, disclosed last month, involved the exposure of sensitive personal and health data following a data theft attack on a former business partner in December 2024.
Affected patients are now receiving notification letters outlining the breach and the compromised data.
What Information Was Exposed in the Breach
According to breach disclosures filed with state and federal authorities, the stolen data may include:
- Personal details:
Name, date of birth, address, phone numbers, email, race, gender, and Social Security numbers (SSNs). - Healthcare information:
Medical record numbers, physician names, admission and discharge dates, diagnoses, billing codes, and insurance company names.
“On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation…” — Ascension
The investigation later confirmed, on January 21, 2025, that Ascension inadvertently disclosed the data to a former partner who was later compromised via a software flaw in a third-party system.
Timeline and Breach Impact by Region
While Ascension initially did not disclose the breach scale, it has since confirmed the following:
- Texas: 114,692 patients affected
- Massachusetts: 96 residents impacted
- Total: 437,329 patients, as per the April 28 filing with the U.S. Department of Health & Human Services (HHS)
The breach aligns with broader ransomware activity in late 2024, likely tied to Clop ransomware attacks exploiting a zero-day vulnerability in Cleo secure file transfer software.
Ongoing Fallout from Previous Cyberattacks
This breach follows a May 2024 ransomware attack by Black Basta, in which 5.6 million patients and staff were impacted. That attack was traced to a malicious file downloaded by an employee, leading to:
- Shutdown of electronic medical records
- Manual tracking of medications and procedures
- Postponement of non-emergency services
- Emergency service redirection to alternate facilities
Mitigation Efforts and Support for Affected Patients
To help mitigate identity theft risks, Ascension is offering two years of free identity monitoring for affected individuals. This includes Credit monitoring, Fraud consultation, Identity theft restoration services.
About Ascension
Ascension employs over 142,000 people, operates 142 hospitals and 40 senior care facilities, and reported $28.3 billion in revenue in 2023. As one of the largest healthcare systems in North America, its repeated exposure to cyber incidents raises concerns around vendor risk management and healthcare cybersecurity standards.
