Ascension, one of the largest healthcare systems in the United States, has reported a data breach impacting approximately 5.6 million patients and employees. The breach stemmed from a ransomware attack in May 2024, during which threat actors gained access to sensitive personal and medical data.
The compromise occurred after an employee inadvertently downloaded a malicious file, allowing attackers unauthorized entry into the network. The accessed data included:
- Names, dates of birth, addresses
- Social Security and driver’s license numbers
- Medical record numbers, procedure codes, dates of service, and lab test types
- Insurance information such as Medicaid and Medicare IDs and policy numbers
- Financial data including bank account and credit card numbers
Ascension clarified that its core electronic health records (EHR) systems were not impacted. However, operational disruptions forced several hospitals to revert to paper records and delay non-urgent procedures.
In response to the incident, Ascension is providing 24 months of complimentary identity protection services through IDX. These include CyberScan monitoring, credit monitoring, identity theft recovery assistance, and a $1 million reimbursement insurance policy.
Law enforcement and federal cybersecurity authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), were notified. The healthcare provider also stated it is taking steps to enhance its cybersecurity posture and prevent similar incidents in the future.
Ascension operates 140 hospitals and 40 senior care facilities across the U.S., with a workforce of over 134,000 associates. The organization began directly notifying impacted individuals with personalized instructions for enrolling in protection services.
