Missouri-Based Hospital Chain Initially Reported That Attack Affected Only 500
More than seven months after a ransomware disrupted its IT systems for weeks, Catholic hospital chain Ascension Health is now notifying nearly 5.6 million current and former patients and employees that the incident - which also involved data theft - potentially compromised their sensitive information.
See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise
Ascension, which initially filed a report to federal regulators in July with a placeholder estimate of 500 individuals affected, updated that report on Thursday, also notifying state regulators, including the attorneys general of California and Maine.
The severity of IT disruption caused by the incident varied across regions served by the Missouri-based chain, which operates 140 hospitals and 40 senior care facilities in 19 states plus the District of Columbia.
The breach also affected senior citizens living at the organization's residential facilities, Ascension said.
The organization said that it is no longer experiencing IT disruption caused by the attack. "We have successfully restored our systems in a safe and secure fashion, and we are no longer on downtime procedures because of this incident," Ascension said. "Clinicians can access medical records electronically as they did prior to this incident" (see: Impact of Ascension's Cyberattack Outage Varies by Region.).
Sources close to the investigation into the incident said Russian-speaking ransomware gang Black Basta was behind the attack. Ascension has not publicly commented on those claims.
Ascension also did not immediately respond to Information Security Media Group's request for additional details about the incident.
Data compromised in the incident varies and cannot be confirmed for each individual, Ascension said.
Among the long list of information potentially affected is medical information - such as medical record number, date of service, types of lab tests, or procedure codes; payment information - such as credit card information or bank account number; insurance information - including Medicaid/Medicare ID, policy number, or insurance claim; government identification like Social Security number, tax identification number, driver's license number, or passport number; and other personal information, including date of birth and address.
"Although patient data was involved, importantly, there remains no evidence that data was taken from our electronic health records and other clinical systems, where our full patient records are securely stored," Ascension said.
The ransomware attackers stole files from seven of Ascension's 25,000 servers after gaining access to the organization's network after an employee inadvertently downloaded a file containing malware, Ascension said in June (see: Worker Downloaded Malware Caused Ascension Ransomware Attack).
Ascension is already facing several proposed federal class action lawsuits stemming from the incident, each seeking similar relief, including financial damages and an injunction for the organization to improve its security practices.
The healthcare system is offering affected individuals two years of complimentary identity and credit monitoring.
As of Friday, the Ascension incident ranked as the third-largest 2024 health data breach posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing protected health information breaches affecting 500 or more individuals.
Unfortunately, these kinds of attacks on the healthcare sector will undoubtedly continue in the year ahead, some experts said.
"Neither market forces nor regulation are working to protect healthcare from cybercrime and intentional disruption," said Mike Hamilton, field CISO at security firm Lumifi.
"None of this will stop until the federal government gets serious about treating the country's logical border as if it were a physical border and use allow-listing to receive only preauthorized traffic," he said.
"A national privacy statute that supersedes states' private right of action will help to preserve what's left of healthcare in the United States, rather than continuing to sue hospitals out of existence."