Ascension, one of the largest private healthcare systems in the United States, has confirmed that a recent data breach has compromised the personal and healthcare information of over 430,000 patients. The breach was disclosed in notification letters sent to affected individuals in April, revealing that the data was stolen during a cyber incident affecting a former business partner of the organization earlier in December.
The breach allowed attackers to access sensitive personal health information, including details about inpatient visits, such as physician names, admission and discharge dates, diagnosis, billing codes, and medical record numbers. Additionally, personal details such as names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers (SSNs) were also exposed.
Ascension stated in a public communication, “On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.” Source
The incident has particularly impacted individuals in Texas and Massachusetts, where the totals are reported as 114,692 and 96 respectively. Although Ascension initially withheld the exact number of affected individuals, an April 28 filing with the U.S. Department of Health & Human Services (HHS) later revealed that 437,329 individuals were impacted by the breach.
To assist those affected, Ascension is offering two years of complimentary identity monitoring services, which include credit monitoring, fraud consultation, and identity theft restoration services. Despite this, details surrounding the breach affecting the former business partner remain sparse, though experts suggest that it may be linked to a series of ransomware attacks exploiting a critical flaw in Cleo secure file transfer software. Source
Only last year, Ascension notified nearly 5.6 million patients and employees of a major ransomware attack attributed to the Black Basta group, which resulted from an employee inadvertently downloading a malicious file. This incident significantly disrupted Ascension’s operations, forcing staff to revert to manual record-keeping and halt non-emergency medical services. Source
With a workforce exceeding 142,000, Ascension operates 142 hospitals and 40 senior care facilities across North America and reported revenues of $28.3 billion in 2023. As the healthcare industry grapples with increasing cyber threats, Ascension’s incident underscores the need for stringent data security measures.